Re: sloppy states and dsr

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Theo de Raadt

Date: Monday, June 30, 2008 - 11:35 pm

> * Ted Unangst <ted.unangst@gmail.com> [2008-06-20 20:50]:
quoted text> > One would only use sloppy state tracking on the load balancer, right?
> 
> not necessarily only, but that would be the most common use I bet.
> In general, you use it when you cannot avoid it, as in, the other
> option is to not filter stateful at all since you don't see all of the
> packets for the connection.

sloppy state handling use, follow these two rules:

rule one:

       if you exactly understand how to use sloppy state safely, use it

NO:    otherwise, don't even dream of using it, unless you come from
       an linux ipfilter world, in which case, it is probably as good
       as that


it is that simple. really.

the second basic rule is:

	if the regular 'strict' state handling does not work for you in
	specific situations, you probably already already know the
	problem in enough detail and can use sloppy, for very specific
	situations which you understand in excruciating detail.  if you
	don't understand those situations exactly go back to NO.

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

sloppy states and dsr, Ted Unangst, (Fri Jun 20, 11:47 am)

Re: sloppy states and dsr, Pierre-Yves Ritschard, (Fri Jun 20, 11:58 am)

Re: sloppy states and dsr, Darrin Chandler, (Fri Jun 20, 12:49 pm)

Re: sloppy states and dsr, Ryan McBride, (Fri Jun 20, 5:12 pm)

Re: sloppy states and dsr, Paul de Weerd, (Fri Jun 20, 5:24 pm)

Re: sloppy states and dsr, Darrin Chandler, (Fri Jun 20, 5:58 pm)

Re: sloppy states and dsr, Henning Brauer, (Mon Jun 30, 5:33 pm)

Re: sloppy states and dsr , Theo de Raadt, (Mon Jun 30, 11:35 pm)


linux-kernel:
Ken Chen	[patch] sched: fix inconsistency when redistribute per-cpu tg->cfs_rq shares.
Ingo Molnar	Re: [PATCH v3] x86: merge the simple bitops and move them to bitops.h
Jan Engelhardt	Re: [PATCH] Allow Kconfig to set default mmap_min_addr protection
Dmitry Torokhov	Re: [2.6 patch] input/serio/hp_sdc.c section fix
Rafael J. Wysocki	[Bug #16380] Loop devices act strangely in 2.6.35
git:
Steven Grimm	Using git as a general backup mechanism (was Re: Using GIT to store /etc)
Jeff King	Re: [PATCH] git-reset: allow --soft in a bare repo
Johannes Sixt	Re: [PATCH 01/14] msvc: Fix compilation errors in compat/win32/sys/poll.c
Johannes Schindelin	Re: [PATCH] Uninstall rule for top level Makefile
Shawn O. Pearce	Re: [PATCH v2] Speed up bash completion loading
git-commits-head:
Linux Kernel Mailing List	cgroups: clean up cgroup_pidlist_find() a bit
Linux Kernel Mailing List	sony-laptop: Add support for extended hotkeys
Linux Kernel Mailing List	IB/core: Add support for masked atomic operations
Linux Kernel Mailing List	V4L/DVB (8939): cx18: fix sparse warnings
Linux Kernel Mailing List	ipv6 mcast: Check address family of gf_group in getsockopt(MS_FILTER).
linux-netdev:
Inaky Perez-Gonzalez	[PATCH 40/40] wimax/i2400m: add CREDITS and MAINTAINERS entries
Karsten Keil	[mISDN PATCH v2 05/19] Reduce stack size in dsp_cmx_send()
linux	Re: 2.6.23-rc8 network problem. Mem leak? ip1000a?
David Miller	Re: tun: Use netif_receive_skb instead of netif_rx
David Miller	Re: [net-next PATCH v2] llc enhancements
freebsd-current:
Matthew Fleming	Re: [RFC] Outline of USB process integration in the kernel taskqueue system
illoai@gmail.com	Re: OT: 2d password
Hartmut Brandt	Re: problem with nss_ldap
Andrew Reilly	Re: FreeBSD's problems as seen by the BSDForen.de community
Max Laier	Re: Upcoming ABI Breakage in RELENG_7