[PATCH 2/2] syncookies: enable by default

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: netdev@vger.kernel.org
Cc: Florian Westphal <fw@strlen.de>
Subject: [PATCH 2/2] syncookies: enable by default
Date: Fri, 16 Oct 2009 21:51:00 +0200	[thread overview]
Message-ID: <1255722660-12857-1-git-send-email-fw@strlen.de> (raw)
In-Reply-To: <1255722570-12803-1-git-send-email-fw@strlen.de>

change syncookie sysctl initialization to 1.

Syn cookies have no effect under normal conditions; cookies are
only sent if a sockets syn queue is exhausted (and the connection
request would be dropped with cookies disabled).

sysctl_tcp_syncookies needs to be set to 0 in the CONFIG_SYN_COOKIES=n
case, as tcp_v4_conn_request() evaluates the variable in a conditional
expression (which then would always be false).

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/ipv4/Kconfig         |    7 +++----
 net/ipv4/tcp_minisocks.c |    6 +++---
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
index 70491d9..86e5bc8 100644
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -289,7 +289,7 @@ config ARPD
 	  If unsure, say N.
 
 config SYN_COOKIES
-	bool "IP: TCP syncookie support (disabled per default)"
+	bool "IP: TCP syncookie support"
 	---help---
 	  Normal TCP/IP networking is open to an attack known as "SYN
 	  flooding". This denial-of-service attack prevents legitimate remote
@@ -314,11 +314,10 @@ config SYN_COOKIES
 	  server is really overloaded. If this happens frequently better turn
 	  them off.
 
-	  If you say Y here, note that SYN cookies aren't enabled by default;
-	  you can enable them by saying Y to "/proc file system support" and
+	  You can disable them by saying Y to "/proc file system support" and
 	  "Sysctl support" below and executing the command
 
-	  echo 1 >/proc/sys/net/ipv4/tcp_syncookies
+	  echo 0 >/proc/sys/net/ipv4/tcp_syncookies
 
 	  at boot time after the /proc file system has been mounted.
 
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index 624c3c9..2b0ddc2 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -26,10 +26,10 @@
 #include <net/inet_common.h>
 #include <net/xfrm.h>
 
-#ifdef CONFIG_SYSCTL
-#define SYNC_INIT 0 /* let the user enable it */
-#else
+#ifdef CONFIG_SYN_COOKIES
 #define SYNC_INIT 1
+#else
+#define SYNC_INIT 0 /* tcp_ipv4.c checks sysctl_tcp_syncookies even if CONFIG_SYN_COOKIES=n */
 #endif
 
 int sysctl_tcp_syncookies __read_mostly = SYNC_INIT;
-- 
1.6.3.3

next prev parent reply	other threads:[~2009-10-16 19:51 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <b2cc26e40910100601q7aed04acjcc9973ef06e6458f@mail.gmail.com>
2009-10-11 10:26 ` Enable syn cookies by default Frans Pop
2009-10-15  8:59 ` Olaf van der Spek
2009-10-16  8:55   ` Jarek Poplawski
2009-10-16 19:01     ` Jarek Poplawski
2009-10-16 19:56       ` Florian Westphal
2009-10-16 19:49   ` [PATCH 1/2] syncookies: print synflood warning if syn queue is full Florian Westphal
2009-10-16 19:51     ` Florian Westphal [this message]
2009-12-08 14:47     ` Olaf van der Spek
2009-12-08 21:09       ` David Miller
2010-01-27 17:01         ` Olaf van der Spek
2009-10-21  7:17   ` Enable syn cookies by default Olaf van der Spek
2009-10-21  7:25     ` Eric Dumazet
2009-10-21  7:48       ` Olaf van der Spek
2009-10-21  9:16         ` William Allen Simpson
2009-10-21 10:10           ` Olaf van der Spek
2009-10-21 18:36             ` William Allen Simpson
2009-10-21 18:45               ` Olaf van der Spek
2009-10-21 13:04     ` David Miller
2009-10-21 18:04       ` William Allen Simpson
2009-11-13 12:42       ` Olaf van der Spek

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:70491d9 dfblob:86e5bc8 dfblob:624c3c9 dfblob:2b0ddc2 )
 OR (
bs:"[PATCH 2/2] syncookies: enable by default" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1255722660-12857-1-git-send-email-fw@strlen.de \
    --to=fw@strlen.de \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).