[Bug 25322] New: [PATCH] tcp syn cookies will not eat your server anymore

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

https://bugzilla.kernel.org/show_bug.cgi?id=25322

           Summary: [PATCH] tcp syn cookies will not eat your server
                    anymore
           Product: Documentation
           Version: unspecified
          Platform: All
        OS/Version: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: man-pages
        AssignedTo: documentation_man-pages@xxxxxxxxxxxxxxxxxxxx
        ReportedBy: nico@xxxxxxxxx
        Regression: No


Hello


Based on a discussion on net-dev
(http://article.gmane.org/gmane.linux.network.general/14344),
TCP syncookies seem to not be disastrous for performance anymore. Theses
improvements happened in 2.6.36, 2.6.33 and 2.6.26.

More info in theses commits:

  - 4dfc28170 Add support for TCP options via timestamps.
  - c6aefafb7 Add IPv6 support to TCP SYN cookies
  - 172d69e63 syncookies: add support for ECN

What would you think about the following patch about the tcp_syn_cookie entry?

diff --git a/man7/tcp.7 b/man7/tcp.7
index 3903c9d..e42bdef 100644
--- a/man7/tcp.7
+++ b/man7/tcp.7
@@ -677,11 +677,10 @@ The kernel must be compiled with
 Send out syncookies when the syn backlog queue of a socket overflows.
 The syncookies feature attempts to protect a
 socket from a SYN flood attack.
-This should be used as a last resort, if at all.
-This is a violation of the TCP protocol,
-and conflicts with other areas of TCP such as TCP extensions.
-It can cause problems for clients and relays.
-It is not recommended as a tuning mechanism for heavily
+Until 2.6.36, it was violating TCP and has to be used as a last
+resort, if at all. Since 2.6.36, TCP extensions are preserved and the
+impact on performance is minimal.
+It is still not recommended as a tuning mechanism for heavily
 loaded servers to help with overloaded or misconfigured conditions.
 For recommended alternatives see
 .IR tcp_max_syn_backlog ,



By the way, there is no information about tcp_cookie_size, the TCP Cookie
Transaction sysctl (this new TCP extension was introduced in 2.6.33), do you
want a patch?

-- 
Configure bugmail: https://bugzilla.kernel.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Kernel Documentation]     [Netdev]     [Linux Ethernet Bridging]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]

  Powered by Linux