Received: with ECARTIS (v1.0.0; list netdev); Mon, 13 Jun 2005 00:47:10 -0700 (PDT) Received: from arnor.apana.org.au (arnor.apana.org.au [203.14.152.115]) by oss.sgi.com (8.12.10/8.12.10/SuSE Linux 0.7) with ESMTP id j5D7l3Xq020813 for ; Mon, 13 Jun 2005 00:47:04 -0700 Received: from gondolin.me.apana.org.au ([192.168.0.6] ident=mail) by arnor.apana.org.au with esmtp (Exim 3.35 #1 (Debian)) id 1DhjdO-0002UK-00; Mon, 13 Jun 2005 17:45:26 +1000 Received: from herbert by gondolin.me.apana.org.au with local (Exim 3.36 #1 (Debian)) id 1DhjdJ-0005e5-00; Mon, 13 Jun 2005 17:45:21 +1000 Date: Mon, 13 Jun 2005 17:45:21 +1000 To: Willy Tarreau Cc: davem@davemloft.net, xschmi00@stud.feec.vutbr.cz, alastair@unixtrix.com, linux-kernel@vger.kernel.org, netdev@oss.sgi.com Subject: Re: [PATCH] fix small DoS on connect() (was Re: BUG: Unusual TCP Connect() results.) Message-ID: <20050613074521.GA21661@gondor.apana.org.au> References: <20050612123253.GK28759@alpha.home.local> <20050612131323.GA10188@gondor.apana.org.au> <20050612133349.GA6279@gondor.apana.org.au> <20050612134725.GB8951@alpha.home.local> <20050612135018.GA10910@gondor.apana.org.au> <20050612142401.GA10772@alpha.home.local> <20050613044810.GA32103@gondor.apana.org.au> <20050613052148.GF8907@alpha.home.local> <20050613052404.GA7611@gondor.apana.org.au> <20050613061748.GA13144@alpha.home.local> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050613061748.GA13144@alpha.home.local> User-Agent: Mutt/1.5.9i From: Herbert Xu X-archive-position: 2404 X-ecartis-version: Ecartis v1.0.0 Sender: netdev-bounce@oss.sgi.com Errors-to: netdev-bounce@oss.sgi.com X-original-sender: herbert@gondor.apana.org.au Precedence: bulk X-list: netdev Content-Length: 1073 Lines: 27 On Mon, Jun 13, 2005 at 08:17:48AM +0200, Willy Tarreau wrote: > > What's the problem with the sysctl ? If you prefer, I can change the patch > to keep the feature enabled by default so that only people aware of the > problem have to fix it by hand. But I found it better the other way : people > who need the feature enable it by hand. Well that's exactly my problem :) I reckon it should be off by default because the threat posed by this problem is IMHO small compared to some of the other standard threats that are applicable to TCP. Plus this is a well-documented feature so we can't be sure that someone somewhere isn't depending on it. However, if it were off by default then there is very little value in providing it at all since the same thing can be achived easily through netfilter. Anyway, let's leave it to Dave to make the decision. Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt