Bug 145201

Summary: enable tcp_syncookies by default
Product: [Fedora] Fedora Reporter: Marius Andreiana <marius.andreiana>
Component: initscriptsAssignee: Bill Nottingham <notting>
Status: CLOSED RAWHIDE QA Contact: Brock Organ <borgan>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: jr-redhatbugs2, rvokal
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://www.redhat.com/archives/fedora-devel-list/2005-January/msg00447.html
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-01-17 18:59:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marius Andreiana 2005-01-15 07:12:36 UTC 
Please enable by default
/proc/sys/net/ipv4/tcp_syncookies/tcp_syncookies 
in sysctl.conf

This is the thread of fedora-devel discussing this
https://www.redhat.com/archives/fedora-devel-list/2005-January/msg00447.html
and Alan Cox's reply
https://www.redhat.com/archives/fedora-devel-list/2005-January/msg00483.html

Note that this is in conformance with fedora philosophy, to provide
good defaults instead of many tools for customizations. When
bastille-linux was proposed in fedora-devel to be included in fedora,
the conclusion was to see what changes it performs and make them the
defaults if it's better for most users.

Thanks!
Comment 1 Bill Nottingham 2005-01-17 18:59:10 UTC 
Added in CVS, will be in later builds.
Comment 2 Jordan Russell 2010-04-02 20:54:37 UTC 
I noticed that the tcp_syncookies setting is no longer included in recent Fedora releases (starting with 10?). The only reference to this I can find is in the initscripts changelog:

* Tue Jul 29 2008 Bill Nottingham <notting> - 8.80-1
- Turn off syncookies

But that doesn't address *why* the change was made. So I'm curious: Has there been some new development since 2005 that makes enabling syncookies a Really Bad Idea? Were syncookies found to be incompatible with certain functionality in recent Fedora releases?
Comment 3 Bill Nottingham 2010-04-06 15:05:03 UTC 
It was done at the request of the upstream Linux networking stack maintainers (David Miller in particular).
Comment 4 Jordan Russell 2010-04-06 21:57:25 UTC 
Hrm.. I assume you're referring to this:

http://lkml.org/lkml/2008/7/24/51

Perhaps enabling syncookies did at one time completely disable SACK and timestamps, I don't know, but with current kernels, it has no effect on the TCP stack until the SYN queue becomes full:

http://lkml.org/lkml/2008/7/24/178
http://lkml.org/lkml/2008/2/5/422
http://groups.google.com/group/linux_net/msg/9261a014825c042f

And since 2.6.26, the SACK and window scaling options are preserved on connections saved by syncookies:

http://lwn.net/Articles/277146/