Bug#322548: options cannot be turned off

Thu, 11 Aug 2005 04:50:21 -0700 

Package: netbase
Version: 4.21
Severity: normal

/etc/network/options allows three network-related options to be
configured on a system-wide basis. However, these options can only
be turned on. Turning them off does not work, as exemplified by the
following excerpt from /etc/init.d/networking:

syncookies () {
    if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then
        echo -n "Enabling TCP/IP SYN cookies..."
        echo 1 > /proc/sys/net/ipv4/tcp_syncookies
        echo "done."
    fi
}

(there is nowhere in the code that would echo 0 into the /proc file).

Syncookies are turned on in recent kernels, so even if I set =no
here, they remain on.

This, as well as other shortcomings (see below) has led people to
see the file as deprecated.

The options now are:

  1. fix the above issue
  2. note that the file is deprecated in the file
  3. remove the file

I vote for 2 then 3. Other reasons for this are that things like
rp_filter should be done on a per-interface basis, and ip_forward
should only be turned on after loading a firewall.

I would thus suggest providing examples in the options file on how
to use ifupdown hooks to achieve the same.

Thanks for your consideration.

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (600, 'testing'), (98, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.12-cirrus
Locale: LANG=en_GB, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)

Versions of packages netbase depends on:
ii  debconf                     1.4.52       Debian configuration management sy
ii  ifupdown                    0.6.7        high level tools to configure netw
ii  iputils-ping [ping]         3:20020927-2 Tools to test the reachability of 
ii  netkit-inetd                0.10-10      The Internet Superserver
ii  tcpd                        7.6.dbs-8    Wietse Venema's TCP wrapper utilit

-- debconf information excluded

-- 
 .''`.     martin f. krafft <[EMAIL PROTECTED]>
: :'  :    proud Debian developer and author: http://debiansystem.info
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP (sub)keys? Use subkeys.pgp.net as keyserver!
 
in seattle, washington, it is illegal to carry a concealed weapon that
is over six feet in length.

Attachment: signature.asc
Description: Digital signature (GPG/PGP)

Reply via email to