Bug#277736: NAPI not enabled - should be
severity 277736 wishlist
quit
On Thu, Oct 21, 2004 at 08:19:29PM -0700, Simon Kirby wrote:
> Package: kernel-image-2.6.8-1-386
> Severity: normal
> Tags: security
>
> [ Filed with reportbug, but not specific to this system. ]
>
> Hello,
>
> CONFIG_E1000_NAPI, CONFIG_E100_NAPI, etc., all appear to be disabled in
> the kernel configuration (for at least i386). This option allows boxes
> that would otherwise choke in a denial of service attack (or just heavy
> load) to survive (making this a security issue) with load on the order
> of five times higher or more.
>
> I have personally tested CONFIG_E1000_NAPI, CONFIG_E100_NAPI, and TG3
> NAPI on many servers and core routers and have found it to be both
> extremely important and completely stable.
>
> Other distributions (eg: Red Hat ES) do appear to have this option
> enabled in the default kernels.
>
> For more information, see linux/Documentation/networking/NAPI_HOWTO.txt.
Hi Simon,
I am a little wary of enabling an option that will effect the behaviour
of device drivers. I observe that for the ES 3.0 WS kernel it only seems
to be enabled for E1000. I also observe that it is enabled for smp
builds of 2.6.8 in Debian, except for on the E100. Which makes me
suspect it may be problematic or at least not trusted on some cards.
Do you have any more information on this? I agree it is desirable
to enable this, however, not at the expense of possible breakage.
--
Horms
Reply to: