Re: [patch] bug fix & TCP networking performance improvements

[Thor Lancelot Simon <tls%panix.com@localhost>]

On Tue, Apr 19, 2011 at 06:48:06PM +0200, Matthias Drochner wrote:
> 
> [kauth in inet6]
> tls%panix.com@localhost said:
> > I am not sure what the engineer who added this hunk meant when he
> > added the comment "I am not going to try and really fix this" above
> > that hunk of code
> 
> This code is clearly - hmm - unfinished. The new check
> is just inserted after the old suser check, so it can't do
> anything for you if the suser check already failed.

Yes.  It turns out the "I am not going to try and really fix this"
comment probably refers to the suser check having been put back
into effect.  I'm still digging into it a bit.

> Also, half of the commands for which the check is done are no-ops
> (or EINVALs) anyway.

Yes, but as interface ioctls they should still authorize via the
appropriate kauth operation as the analogous v4 ioctls do.  It is
most consistent and safe that way.

> I'd suggest to keep the kauth stuff seperate for now; it
> is unrelated anyway and it needs some care.

You are probably correct about this.

I believe David's going to fix the initialization issue you also
noted, which is much more serious.  It's actually my opinion that
VTW should be on by default, and that we should plan to remove the
non-VTW mode of operation once users report VTW is stable for them.
After all, we do not have operation both with and without the SYN
cache for TCP, and it seems likely to me the code will end up less
reliable and less well maintained if we leave two modes for FIN
handling.

Thor