If you use syncookied in networks where a single public IP (VIP) is terminated by multiple hosts—and you’re stuck with “where to get a shared secret,” or simply want to run newer kernels (Linux 4.11+ computes TCP SYN cookies with SipHash while the public syncookied relies on SHA-1)—consider syncsync. It’s a loadable kernel module (LKM) that restores SHA-1 for TCP SYN cookies system-wide and adds a time-based shared-secret ticker (derived from a base secret + time identically across all servers). Packaged via DKMS—no kernel rebuild required.
When used together with syncookied, it removes the need for tcpsecrets and userspace secret distribution, and simplifies transparent on-path insertion/removal of syncookied in multi-host setups (ECMP/DR, etc.). Repository: psylity/syncsync.
If you use syncookied in networks where a single public IP (VIP) is terminated by multiple hosts—and you’re stuck with “where to get a shared secret,” or simply want to run newer kernels (Linux 4.11+ computes TCP SYN cookies with SipHash while the public syncookied relies on SHA-1)—consider syncsync. It’s a loadable kernel module (LKM) that restores SHA-1 for TCP SYN cookies system-wide and adds a time-based shared-secret ticker (derived from a base secret + time identically across all servers). Packaged via DKMS—no kernel rebuild required.
When used together with syncookied, it removes the need for tcpsecrets and userspace secret distribution, and simplifies transparent on-path insertion/removal of syncookied in multi-host setups (ECMP/DR, etc.). Repository: psylity/syncsync.