From 9219bf432b50f0ac0f420456da94fb76a492d200 Mon Sep 17 00:00:00 2001
From: anti <samuel@securejump.cl>
Date: Sat, 4 Apr 2026 13:34:51 -0300
Subject: [PATCH] Fix: remove net.core.rmem_default from windows sysctl profile

net.core.rmem_default is a global (non-namespaced) kernel sysctl.
Docker's OCI runtime rejects it at container start with "permission denied"
unless the container runs --privileged. Drop it from the windows profile;
TTL=128 and tcp_syn_retries=2 are sufficient for nmap TTL-based detection.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 decnet/os_fingerprint.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/decnet/os_fingerprint.py b/decnet/os_fingerprint.py
index 38e1450..d8f088e 100644
--- a/decnet/os_fingerprint.py
+++ b/decnet/os_fingerprint.py
@@ -13,7 +13,9 @@ Primary discriminator leveraged by nmap: net.ipv4.ip_default_ttl (TTL)
 
 Secondary tuning (TCP behaviour):
   net.ipv4.tcp_syn_retries  – SYN retransmits before giving up
-  net.core.rmem_default     – initial receive buffer → affects SYN-ACK window field
+
+Note: net.core.rmem_default is a global (non-namespaced) sysctl and cannot be
+set per-container without --privileged; it is intentionally excluded.
 """
 
 from __future__ import annotations
@@ -26,7 +28,6 @@ OS_SYSCTLS: dict[str, dict[str, str]] = {
     "windows": {
         "net.ipv4.ip_default_ttl": "128",
         "net.ipv4.tcp_syn_retries": "2",
-        "net.core.rmem_default": "8388608",   # 8 MB → large initial window like Windows
     },
     "bsd": {
         "net.ipv4.ip_default_ttl": "64",