Bug 145201 - enable tcp_syncookies by default
enable tcp_syncookies by default
Product: Fedora
Classification: Fedora
Component: initscripts (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
Brock Organ
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2005-01-15 02:12 EST by Marius Andreiana
Modified: 2014-03-16 22:51 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-01-17 13:59:10 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Marius Andreiana 2005-01-15 02:12:36 EST
Please enable by default
in sysctl.conf

This is the thread of fedora-devel discussing this
and Alan Cox's reply

Note that this is in conformance with fedora philosophy, to provide
good defaults instead of many tools for customizations. When
bastille-linux was proposed in fedora-devel to be included in fedora,
the conclusion was to see what changes it performs and make them the
defaults if it's better for most users.

Comment 1 Bill Nottingham 2005-01-17 13:59:10 EST
Added in CVS, will be in later builds.
Comment 2 Jordan Russell 2010-04-02 16:54:37 EDT
I noticed that the tcp_syncookies setting is no longer included in recent Fedora releases (starting with 10?). The only reference to this I can find is in the initscripts changelog:

* Tue Jul 29 2008 Bill Nottingham <notting@redhat.com> - 8.80-1
- Turn off syncookies

But that doesn't address *why* the change was made. So I'm curious: Has there been some new development since 2005 that makes enabling syncookies a Really Bad Idea? Were syncookies found to be incompatible with certain functionality in recent Fedora releases?
Comment 3 Bill Nottingham 2010-04-06 11:05:03 EDT
It was done at the request of the upstream Linux networking stack maintainers (David Miller in particular).
Comment 4 Jordan Russell 2010-04-06 17:57:25 EDT
Hrm.. I assume you're referring to this:


Perhaps enabling syncookies did at one time completely disable SACK and timestamps, I don't know, but with current kernels, it has no effect on the TCP stack until the SYN queue becomes full:


And since 2.6.26, the SACK and window scaling options are preserved on connections saved by syncookies:


Note You need to log in before you can comment on or make changes to this bug.