| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 4 May 2015 23:07:07 -0400 From: John Heffner <johnwheffner@...il.com> To: Eric Dumazet <eric.dumazet@...il.com> Cc: Eric B Munson <emunson@...mai.com>, Tom Herbert <tom@...bertland.com>, "David S. Miller" <davem@...emloft.net>, linux-api@...r.kernel.org, netdev <netdev@...r.kernel.org> Subject: Re: [PATCH net-next] tcp: provide SYN headers for passive connections On Mon, May 4, 2015 at 11:12 AM, Eric Dumazet <eric.dumazet@...il.com> wrote: > On Mon, 2015-05-04 at 10:41 -0400, John Heffner wrote: > >> Nice idea, seems handy. But a couple (somewhat related) questions: >> >> * Other than convenience, are there reasons not use an existing, more >> general-purpose and portable mechanism like pcap? (Permissions, I >> guess?) > > Very hard to synchronize when say you have 32 listeners sharing a single > port (SO_REUSEPORT), and receive one million SYN per second (when my TCP > listener scaling work is finished). > > libpcap here would be a serious bottleneck, even with a clever FANIN > support on the af_packet sockets, considering use of multiqueue NIC. > >> * Are there conditions where, for security purposes, you don't want an >> application to have access to the raw SYNs? > > Not that we are aware of : We restrict the access to IP + TCP headers, > for the passive part. All information that is available there was > provided by the remote peer on a 'open way' anyway. Makes sense, thanks. -John -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists