On Thu, Sep 1, 2022 at 8:03 AM Richard Gobert <richardbgobert@xxxxxxxxx> wrote: > > On Mon, Aug 29, 2022 at 03:15:47PM -0700, Eric Dumazet wrote: > > We tried to get rid of any dependence over inetpeer, which is not > > resistant against DDOS attacks. > > > > So I would not add a new dependency. > > I see your point. What do you suggest doing differently? > > The inetpeer mechanism is used for IPv4 frags. If it isn't resistant > against DDoS attacks, can it perhaps be improved? It can be disabled if needed, by changing ipfrag_max_dist sysctl. Quite frankly IPv4 reassembly unit is a toy, I am always surprised some applications are still relying on IP fragments.
