Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)

• Previous message: Sven-Thorsten Dietrich: "Re: [PATCH] local_irq_disable removal"
• In reply to: Herbert Xu: "Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)"
• Next in thread: David S. Miller: "Re: [PATCH] fix small DoS on connect()"
• Reply: David S. Miller: "Re: [PATCH] fix small DoS on connect()"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date:	Mon, 13 Jun 2005 10:10:26 +0200
To: Herbert Xu <herbert@gondor.apana.org.au>

On Mon, Jun 13, 2005 at 05:45:21PM +1000, Herbert Xu wrote:
> On Mon, Jun 13, 2005 at 08:17:48AM +0200, Willy Tarreau wrote:
> >
> > What's the problem with the sysctl ? If you prefer, I can change the patch
> > to keep the feature enabled by default so that only people aware of the
> > problem have to fix it by hand. But I found it better the other way : people
> > who need the feature enable it by hand.
>
> Well that's exactly my problem :)
>
> I reckon it should be off by default because the threat posed by
> this problem is IMHO small compared to some of the other standard
> threats that are applicable to TCP. Plus this is a well-documented
> feature so we can't be sure that someone somewhere isn't depending
> on it.
>
> However, if it were off by default then there is very little value
> in providing it at all since the same thing can be achived easily
> through netfilter.

I understand your point of view.

> Anyway, let's leave it to Dave to make the decision.

At least, he has enough elements in his mailbox now :-)

Cheers,
Willy

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

• Previous message: Sven-Thorsten Dietrich: "Re: [PATCH] local_irq_disable removal"
• In reply to: Herbert Xu: "Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.)"
• Next in thread: David S. Miller: "Re: [PATCH] fix small DoS on connect()"
• Reply: David S. Miller: "Re: [PATCH] fix small DoS on connect()"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: Using compression before encryption in device-mapper ... depending on when they start, so the 48 above comes down to 40. ... > dictionnary attacks even in the case of perfectly random keys. ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel) Re: [PATCH] API for true Random Number Generators to add entropy (2.6.11) ... >> depending on your needs. ... > In my old 2.4 patch there was a sysctl to turn off the kernel reseeding. ... > BTW what do you do when the FIPS test fails? ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel) Re: [PATCH] Alternate futex non-page-pinning and COW fix ... > can actually contain a shared dirty page". ... If we're going to document a behaviour as depending on whether the user ... least surprise, principle of minimal doc. ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel) Re: Bug in "select" dependency checking? ... depending on the value of NFSD_ACL. ... patches don't conflict with each other. ... SUSE Labs, SUSE LINUX AG ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel) Re: Non-Exec stack patches ... > I have not yet tested other archs. ... > If the values in the protection_map are different depending on bit 2, ... > Slightly edited and untested patch attached. ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel)