On 23/08/2024 17:20, Willy Tarreau wrote: > On Fri, Aug 23, 2024 at 05:11:11PM +0200, Matthieu Baerts wrote:
(...) >> Maybe a new socket option would be better if the idea is only to >> silently drop connections? :) > > Yes, probably. Right now it's done directly in the action itself > (tcp_exec_action_silent_drop()), and we already detect if the option > is supported, so that would just be a matter of checking more > explicitly for conn->ctrl->proto == mptcp and using the other option. If such option is added, I think it is probably better to add it at TCP level (or socket level), and then adds its support for MPTCP socket. But yes, good to know it is easy to add alternatives there! > In any case the code *tries* to make use of this, and will fall back > to other methods. One of them is to try to change the TTL of the > socket before closing (so that the RST doesn't reach the client). > And when all of this fails, the connection is closed anyway, so it's > just not silent. As such, there's no harm at all in not supporting this > at all, it's just less optimal. I sent patches more than one year ago to support these socket options to modify the TTL in v4 and v6, as part of a refactoring, and they are still not applied :( (/me updates his TODO list) >> (If these botnets are using "plain" TCP, the TCP_REPAIR socket option >> will work!) > > Ah, good to know! I guess we still have quite some time ahead before > they start playing with mptcp by default, so for most use cases it will > be fine! I guess yes :) (and currently MPTCP is not supported on Windows) Cheers, Matt -- Sponsored by the NGI0 Core fund.
