From owner-cvs-src@FreeBSD.ORG Thu Jan 24 10:57:41 2008 Return-Path: Delivered-To: cvs-src@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A1F0C16A46C for ; Thu, 24 Jan 2008 10:57:41 +0000 (UTC) (envelope-from andre@freebsd.org) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.freebsd.org (Postfix) with ESMTP id E9E0813C505 for ; Thu, 24 Jan 2008 10:57:40 +0000 (UTC) (envelope-from andre@freebsd.org) Received: (qmail 98676 invoked from network); 24 Jan 2008 10:18:55 -0000 Received: from localhost (HELO [127.0.0.1]) ([127.0.0.1]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 24 Jan 2008 10:18:55 -0000 Message-ID: <47986F27.10401@freebsd.org> Date: Thu, 24 Jan 2008 11:57:43 +0100 From: Andre Oppermann User-Agent: Thunderbird 1.5.0.14 (Windows/20071210) MIME-Version: 1.0 To: Mike Silbersack References: <200711200656.lAK6u4bc021279@repoman.freebsd.org> <4797B77E.2090605@freebsd.org> <20080124005006.D93697@odysseus.silby.com> In-Reply-To: <20080124005006.D93697@odysseus.silby.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Mike Silbersack , kmacy@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org, src-committers@FreeBSD.org, freebsd-net@freebsd.org Subject: Re: cvs commit: src/sys/netinet tcp_syncache.c X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jan 2008 10:57:41 -0000 Mike Silbersack wrote: > > On Wed, 23 Jan 2008, Andre Oppermann wrote: > >> OTOH the enforcement of this rule wasn't really there before and it >> may be argued that we've got a POLA violation here. A careful reading > > That's exactly the point. We were not enforcing timestamps since... > whenever the RFC1323 code went in. Then we start enforcing them, and > start getting bug reports while we're still in the beta phase. That > indicates to me that we would've been likely to see many reports as time > went on. I'm complaining about not fixing or modifying the test. The rationale and comments to the change are not correct and a different fix would be more appropriate. > If you want to put the check back in, but hide it behind a sysctl that > is disabled by default, that would be ok with me. The check is fine. However in the edge case it should not cause the connection to be aborted but it should disable timestamps locally. There is no point in sending them if they do not get returned. > I'm not generally opposed to security improvements that only affect edge > cases... but being unable to connect is not an edge case! Fully agreed. I'll reopen the PR and follow up with the originator to do some further analysis. All operating system he cites that were unable to connect correctly send timestamps and do not stop after the SYN phase. So there must be something else at play here. Have you received or heart of any *other* reports that may be related to the timestamp check? -- Andre