Bug 145201 - enable tcp_syncookies by default
Summary: enable tcp_syncookies by default
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: initscripts (Show other bugs)
(Show other bugs)
Version: rawhide
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact: Brock Organ
URL: https://www.redhat.com/archives/fedor...
Whiteboard:
Keywords: FutureFeature
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-01-15 07:12 UTC by Marius Andreiana
Modified: 2014-03-17 02:51 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-01-17 18:59:10 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Marius Andreiana 2005-01-15 07:12:36 UTC
Please enable by default
/proc/sys/net/ipv4/tcp_syncookies/tcp_syncookies 
in sysctl.conf

This is the thread of fedora-devel discussing this
https://www.redhat.com/archives/fedora-devel-list/2005-January/msg00447.html
and Alan Cox's reply
https://www.redhat.com/archives/fedora-devel-list/2005-January/msg00483.html

Note that this is in conformance with fedora philosophy, to provide
good defaults instead of many tools for customizations. When
bastille-linux was proposed in fedora-devel to be included in fedora,
the conclusion was to see what changes it performs and make them the
defaults if it's better for most users.

Thanks!

Comment 1 Bill Nottingham 2005-01-17 18:59:10 UTC
Added in CVS, will be in later builds.

Comment 2 Jordan Russell 2010-04-02 20:54:37 UTC
I noticed that the tcp_syncookies setting is no longer included in recent Fedora releases (starting with 10?). The only reference to this I can find is in the initscripts changelog:

* Tue Jul 29 2008 Bill Nottingham <notting@redhat.com> - 8.80-1
- Turn off syncookies

But that doesn't address *why* the change was made. So I'm curious: Has there been some new development since 2005 that makes enabling syncookies a Really Bad Idea? Were syncookies found to be incompatible with certain functionality in recent Fedora releases?

Comment 3 Bill Nottingham 2010-04-06 15:05:03 UTC
It was done at the request of the upstream Linux networking stack maintainers (David Miller in particular).

Comment 4 Jordan Russell 2010-04-06 21:57:25 UTC
Hrm.. I assume you're referring to this:

http://lkml.org/lkml/2008/7/24/51

Perhaps enabling syncookies did at one time completely disable SACK and timestamps, I don't know, but with current kernels, it has no effect on the TCP stack until the SYN queue becomes full:

http://lkml.org/lkml/2008/7/24/178
http://lkml.org/lkml/2008/2/5/422
http://groups.google.com/group/linux_net/msg/9261a014825c042f

And since 2.6.26, the SACK and window scaling options are preserved on connections saved by syncookies:

http://lwn.net/Articles/277146/


Note You need to log in before you can comment on or make changes to this bug.