Subject: Re: Resetting ip, icmp etc statistics
To: None <jonathan@dsg.stanford.edu>
From: Bill Studenmund <wrstuden@netbsd.org>
List: tech-net
Date: 03/31/2006 18:30:14
--MZf7D3rAEoQgPanC
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Mar 31, 2006 at 05:55:06PM -0800, jonathan@dsg.stanford.edu wrote:
>=20
> In message <20060401012345.GC5840@netbsd.org>, Bill Studenmund writes:
>=20
> >> A sysctl doesn't really help: anyone with superuser privileges can
> >> turn off the sysctl, then zero the counters.
> >
> >So?
>=20
> >All the sysctl is supposed to do is make sure that an administrator
> >doesn't accidentally reset the counters.
>=20
> Bill, since other people clearly got the gist of my messag,e I don't
> see why you have failed to grasp it.  The point I'm aiming at is to
> provide hoooks to deny anyone the ability to zero out counters.
>=20
> Which is you're not getting: that statement, or the reasons behind it?

Uhm, Jonathan, what makes you think I didn't get the jist of your message?=
=20
The fact I feel your proposal goes way overboard?

Disagreeing doesn't mean I didn't understand your point. It simply means=20
that your arguement is not so immediately-obvious as to be instantly=20
convincing.

Actually, your point is NOT to provide hooks to deny anyone the ability to=
=20
zero out counters. It does much more. You propose making it a compile-time=
=20
option, and you further propose it defaulting to off.

> >> I think we'd be better off to rework both the in-kernel support for
> >> "ifconfig -z", and the current proposal to allow resetting
> >> per-rpotocol statistics, to become compile-time options. Per the
> >> discussion that such zeroisation makes sense for "experimental" or
> >> single-user systems, the default should be
> >>=3D20
> >>      "zeroization not allowed".
> >
> >Why? A LOT of folks like it.=20
>=20
> And some folks find it objectionable. Next point?

Ok, how exactly do you build the case that it should only be compile-time=
=20
enableable and that compile option should default to off?

Take care,

Bill

--MZf7D3rAEoQgPanC
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)

iD8DBQFELeW2Wz+3JHUci9cRArH3AJ9Zmolkgmr+gkZVWOYdMtCiNZ79KgCfRuic
He/RC4rtmWWpoTdJKb4hyXo=
=jV/3
-----END PGP SIGNATURE-----

--MZf7D3rAEoQgPanC--