[Bug 1773157] Re: procps outdated network options, old syncookies, new ecn update please.

Launchpad Bug Tracker 1773157 at bugs.launchpad.net
Tue Jun 19 06:26:47 UTC 2018 

This bug was fixed in the package procps - 2:3.3.15-2ubuntu1

---------------
procps (2:3.3.15-2ubuntu1) cosmic; urgency=medium

  * Merge from Debian unstable.  Remaining changes:
    - debian/sysctl.d (Ubuntu-specific):
      + 10-console-messages.conf: stop low-level kernel messages on console.
      + 10-kernel-hardening.conf: add the kptr_restrict setting
      + 10-keyboard.conf.powerpc: mouse button emulation on PowerPC.
      + 10-ipv6-privacy.conf: add a file to sysctl.d to apply the defaults
        for IPv6 privacy extensions for interfaces. (LP: #176125, #841353)
      + 10-link-restrictions.conf: even though the Ubuntu
        kernel is built with these defaults in place, we want to make sure
        that people running stock kernels don't miss out.
      + 10-magic-sysrq.conf: Disable most magic sysrq by default, allowing
        critical sync, remount, reboot functions. (LP: #194676, LP: #1025467)
      + 10-network-security.conf: enable rp_filter.
      + 10-ptrace.conf: describe new PTRACE setting.
      + 10-zeropage.conf: safe mmap_min_addr value for graceful fall-back.
        for armhf, and arm64.
      + 10-qemu.conf.s390x for qemu.
      + README: describe how this directory is supposed to work.
    - debian/rules: Fix cross build
    - ignore_eaccess.patch: If we get eaccess when opening a sysctl file for
      writing, don't error out.  Otherwise package upgrades can fail,
      especially in containers.
    - ignore_erofs.patch: Same as ignore_eaccess but for the case where
      part of /proc is read/only.

procps (2:3.3.15-2) unstable; urgency=medium

  * Fix link in libprocps-dev Closes: 900239
  * Fix typo in license Closes: #899346

 -- Balint Reczey <rbalint at ubuntu.com>  Tue, 05 Jun 2018 11:20:00 -0700

** Changed in: procps (Ubuntu)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to procps in Ubuntu.
https://bugs.launchpad.net/bugs/1773157

Title:
  procps outdated network options, old syncookies, new ecn update
  please.

Status in procps package in Ubuntu:
  Fix Released

Bug description:
  The ubuntu version of procps carries it's own  /etc/sysctl.d/10
  -network-security.conf  file explicitly that appears not to be part of
  debian procps version.

  
  Firstly, the section about "# Turn on SYN-flood protections." (came from LP #57091 ) is now entirely outdated, upstream kernel has long since turned on syncookies by default, so setting this flag explicitly in 10-network-security.conf is entirely redundant likely since before ubuntu-14.04 .
  I would like the ubuntu-maintainer to remove that section entirely in cosmic onwards.

  [I am going to report debian the similarly outdated syncookies
  comments in sysctl.conf itself].

  
  Secondly, I propose a new 10-network-tuning.conf with:-
  ==============================================================================
  # Allow ECN for outgoing connections.  Starting with 4.2, there is an adaptive
  # fallback [enabled by default tcp_ecn_fallback option] preventing connection
  # loss even with ecn enabled, also ecn-intolerance is increasingly very rare.
  net.ipv4.tcp_ecn=1
  ==============================================================================

  I know there is a (small) chance of issues/regressions with ECN
  enabled by default on outgoing but I'm quite sure the issue is very
  rare, like others notice [ref: 1 and 2 below].  Apple's selective
  enablements etc. show this works just as much as my own use for years
  and many similar reports.

  ECN actually being used for outgoing connections really helps with
  latency-reduction with modern routers (both core and edge) using
  queuing disciplines fq_codel or otherwise, able to mark rather than
  drop packets on ECN-enabled flows [helps latency and realtime
  applications].  Now we are just past LTS release is in my view the
  'right time' to finally enable ECN [and obviously easy to revert!].
  If this is disputed, in ANY case I strongly suggest at the very least
  a commented-out ECN section should be included, but 'defaults
  matter'!.

  I was going to suggest a non-default section about
  net.core.default_qdisc [ LP #1436945 ] but this appears to have been
  fixed upstream similarly.

  [1] https://www.ietf.org/proceedings/98/slides/slides-98-maprg-tcp-ecn-experience-with-enabling-ecn-on-the-internet-padma-bhooma-00.pdf
  [2] http://seclists.org/nanog/2015/Jun/675

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/procps/+bug/1773157/+subscriptions

More information about the foundations-bugs mailing list