On Mon, Oct 16, 2017 at 11:37 PM, Christoph Paasch <cpaa...@apple.com> wrote: > We already allow to enable TFO without a cookie by using the > fastopen-sysctl and setting it to TFO_SERVER_COOKIE_NOT_REQD (0x200). > This is safe to do in certain environments where we know that there > isn't a malicous host (aka., data-centers). > > A server however might be talking to both sides (public Internet and > data-center). So, this server would want to enable cookie-less TFO for > the connections that go to the data-center while enforcing cookies for > the traffic from the Internet. > > This patch exposes a socket-option to enable this (protected by > CAP_NET_ADMIN).
Have you thought instead of a route attribute ? CAP_NET_ADMIN restriction is not really practical IMO.
