Date: Fri, 28 Jan 2011 21:57:00 +0200 From: Ivo Vachkov <ivo.vachkov@gmail.com> To: Doug Barton <dougb@freebsd.org> Cc: FreeBSD Net <freebsd-net@freebsd.org>, bz@freebsd.org Subject: Re: Proposed patch for Port Randomization modifications according to RFC6056 Message-ID: <AANLkTimhZ_pxTGt958AX8m=%2BS=g2hqsst=GH1a99D0g1@mail.gmail.com> In-Reply-To: <4D431258.8040704@FreeBSD.org> References: <AANLkTi=rF%2BCYiNG7PurPtrwn-AMT9cYEe90epGAJDwDq@mail.gmail.com> <4D411CC6.1090202@gont.com.ar> <AANLkTinvg5tft8xockuuV9g5QYd36ko9qO4YCvy5bkJ1@mail.gmail.com> <4D431258.8040704@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 28, 2011 at 9:00 PM, Doug Barton <dougb@freebsd.org> wrote: > On 01/28/2011 06:33, Ivo Vachkov wrote: >> >> Hello, >> >> I would like to thank for the help and for the recommendations. >> >> I attach second version of the patch, I proposed earlier, including >> following changes: >> >> 1) All RFC6056 algorithms are implemented. >> 2) Both IPv4 and IPv6 stacks are modified to use the new port >> randomization code. >> 3) There are two variables that can be modified via sysctl: >> - net.inet.ip.portrange.rfc6056_algorithm - which allows the super >> user to choose one out of the five possible algorithms. >> - net.inet.ip.portrange.rfc6056_algorithm5_tradeoff - which allows the >> super user to modify the trade-off value used in algorithm 5. >> All values are explicitly checked for correctness before usage. >> Default values for those variables represent current/legacy port >> randomization algorithm and proposed values in the RFC itself. > > I haven't reviewed the patch in detail yet but I wanted to first thank you > for taking on this work, and being so responsive to Fernando's request > (which I agreed with, and you updated before I even had a chance to say so). > :) > > My one comment so far is on the name of the sysctl's. There are 2 problems > with sysctl/variable names that use an rfc title. The first is that they are > not very descriptive to the 99.9% of users who are not familiar with that > particular doc. The second is more esoteric, but if the rfc is subsequently > updated or obsoleted we're stuck with either an anachronism or updating code > (both of which have their potential areas of confusion). > > So in order to avoid this issue, and make it more consistent with the > existing: > > net.inet.ip.portrange.randomtime > net.inet.ip.portrange.randomcps > net.inet.ip.portrange.randomized > > How does net.inet.ip.portrange.randomalg sound? I would also suggest that > the second sysctl be named net.inet.ip.portrange.randomalg.alg5_tradeoff so > that one could do 'sysctl net.inet.ip.portrange.randomalg' and see both > values. But I won't quibble on that. :) > I have no objections with this. Since this is my first attempt to contribute something back to the community I decided to see how it's done before. So I found: net.inet.tcp.rfc1323 net.inet.tcp.rfc3465 net.inet.tcp.rfc3390 net.inet.tcp.rfc3042 which probably led me in a wrong direction :) I understand your point and agree with it. However, my somewhat limited understanding of the sysctl internal organization is telling me that tree node does not support values. Am I wrong? If my reasoning is correct, maybe I can create the sysctl variables with the following names: - net.inet.ip.portrange.randomalg (Tree Node) - net.inet.ip.portrange.randomalg.alg[orithm] (Leaf Node, to store the selected algorithm) - net.inet.ip.portrange.randomalg.alg5_tradeoff (Leaf Node, to store the Algorithm 5 trade-off value) Ivo Vachkov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTimhZ_pxTGt958AX8m=%2BS=g2hqsst=GH1a99D0g1>