lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Mon, 15 Aug 2016 09:52:40 -0700
From:	Yuchung Cheng <ycheng@...gle.com>
To:	Piotr Jurkiewicz <piotr.jerzy.jurkiewicz@...il.com>
Cc:	netdev <netdev@...r.kernel.org>
Subject: Re: Issues related to TCP Fast Open flags: TFO_SERVER_COOKIE_NOT_CHKED
 and TFO_SERVER_WO_SOCKOPT2

On Sat, Aug 13, 2016 at 4:05 PM, Piotr Jurkiewicz
<piotr.jerzy.jurkiewicz@...il.com> wrote:
> 1. Handling of TFO_SERVER_COOKIE_NOT_CHKED flag was removed back in 2014,
> but this flag is still mentioned in the documentation:
>
> Documentation/networking/ip-sysctl.txt:
>         0x100: Accept SYN data w/o validating the cookie.
>
> 2. There is no explanation how TFO_SERVER_WO_SOCKOPT1 and
> TFO_SERVER_WO_SOCKOPT2 differ, the docs only say:
>
> Documentation/networking/ip-sysctl.txt:
>         0x400/0x800: Enable Fast Open on all listeners regardless of the
>            TCP_FASTOPEN socket option. The two different flags designate two
>            different ways of setting max_qlen without the TCP_FASTOPEN
> socket
>            option.
>
> 3. When TFO_SERVER_WO_SOCKOPT2 flag is set, the fastopenq.max_qlen is set to
> the value of sysctl bitmap containing flags (sysctl_tcp_fastopen), what is
> (at least for me) completely irrational and I believe is a bug:
>
> net/ipv4/af_inet.c:
> 225                         else if ((sysctl_tcp_fastopen &
> 226                                   TFO_SERVER_WO_SOCKOPT2) != 0)
> 227                                 fastopen_queue_tune(sk,
> 228                                     ((uint)sysctl_tcp_fastopen) >> 16);
Thanks for pointing these issues out. The document indeed needs work.

TFO_SERVERS_WO_SOCKEOPT2 was used for debugging purposes that we
forget to clean up before upstream. Here is my plan:

1) send a patch to remove this opaque/buggy internal debugging option
2) update the ip-sysctl, perhaps update tcp option man pages

How does that sound?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ