Re: [PATCH] tcp.7: tcp_syncookies: It is now an integer [0, 2]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Alex,


On 12/7/20 6:08 PM, Alejandro Colomar wrote:
> Since Linux kernel 3.12, tcp_syncookies can have the value 2,
> which sends out cookies unconditionally.
> 
> Related kernel commits:
> 5ad37d5deee1ff7150a2d0602370101de158ad86
> d8513df2598e5142f8a5c4724f28411936e1dfc7
> 
> Reported-by: Philip Rowlands <linux-kernel@xxxxxxxxxxx>
> Signed-off-by: Alejandro Colomar <alx.manpages@xxxxxxxxx>
> Cc: Eric Dumazet <eric.dumazet@xxxxxxxxx>
> Cc: Hannes Frederic Sowa <hannes@xxxxxxxxxxxxxxxxxxx>
> Cc: David S. Miller <davem@xxxxxxxxxxxxx>
> ---
>  man7/tcp.7 | 14 ++++++++++++--
>  1 file changed, 12 insertions(+), 2 deletions(-)
> 
> diff --git a/man7/tcp.7 b/man7/tcp.7
> index d983a8f9a..591f73d8d 100644
> --- a/man7/tcp.7
> +++ b/man7/tcp.7
> @@ -830,12 +830,11 @@ The maximum number of times a SYN/ACK segment
>  for a passive TCP connection will be retransmitted.
>  This number should not be higher than 255.
>  .TP
> -.IR tcp_syncookies " (Boolean; since Linux 2.2)"
> +.IR tcp_syncookies " (integer; default: 1; since Linux 2.2)"
>  .\" Since 2.1.43
>  Enable TCP syncookies.
>  The kernel must be compiled with
>  .BR CONFIG_SYN_COOKIES .
> -Send out syncookies when the syn backlog queue of a socket overflows.
>  The syncookies feature attempts to protect a
>  socket from a SYN flood attack.
>  This should be used as a last resort, if at all.
> @@ -849,6 +848,17 @@ For recommended alternatives see
>  .IR tcp_synack_retries ,
>  and
>  .IR tcp_abort_on_overflow .
> +Set to one of the following values:
> +.RS
> +.IP 0 3
> +Disable TCP syncookies.
> +.IP 1
> +Send out syncookies when the syn backlog queue of a socket overflows.
> +.IP 2

I think it's helpful to let the reader know that this is a more
recent feature. So, better:

.IP 2 (since Linux 3.12)

Thanks,

Michael

> +.\" commit 5ad37d5deee1ff7150a2d0602370101de158ad86
> +Send out syncookies unconditionally.
> +This can be useful for network testing.
> +.RE
>  .TP
>  .IR tcp_timestamps " (integer; default: 1; since Linux 2.2)"
>  .\" Since 2.1.36
> 


-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
[Index of Archives]     [Kernel Documentation]     [Netdev]     [Linux Ethernet Bridging]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]

  Powered by Linux