From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <toke@toke.dk>
Received: from mail.toke.dk (mail.toke.dk [52.28.52.200])
 (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by lists.bufferbloat.net (Postfix) with ESMTPS id 55FF53CB3F;
 Tue,  3 Sep 2019 11:10:31 -0400 (EDT)
From: Toke =?utf-8?Q?H=C3=B8iland-J=C3=B8rgensen?= <toke@toke.dk>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=toke.dk; s=20161023;
 t=1567523430; bh=fr1f/yD6OMJNsOIzg60ynTzKnAcoAqDO0luqnUH1drU=;
 h=From:To:Cc:Subject:In-Reply-To:References:Date:From;
 b=EVuXnFkwQMgUzKMBs9Kyi8xQbQAG3EeF7PHsmxz8v+DE0OUQydnw9MnAhL/IR3lW0
 d0o1okgHfsf4LCiRLxJg9xAnoicMiRXwMUiqn7liSz56YOUqOUKCqZwg1TKAIqtB5E
 QZkYSGcZu8JxdVirHCISvDyExBgm4GjjeEZWGzn2tvb0nhNxq1lo24Uq7p3UE3l2k+
 pIbp/xh+Cd8KNouHQdgHAI1jWPs7g35IWTTsS6kUuxOeSjnZG3TjOgKzvQV1lCY6l+
 QhFPSqgABdcXQ+ub9/GeGnlC8OWNnPVwMS48ACu/vIZP9sP2k3ku00RlGcYLt9QiWe
 JtmZhnK2Dy2rg==
To: Dave Taht <dave.taht@gmail.com>
Cc: Mikael Abrahamsson <swmike@swm.pp.se>,
 cerowrt-devel <cerowrt-devel@lists.bufferbloat.net>,
 bloat <bloat@lists.bufferbloat.net>
In-Reply-To: <CAA93jw4RvsbRzmLQwKL1s_hF3J16-tGX0CQrUAn1xzgBRfJ8Hw@mail.gmail.com>
References: <CAA93jw5OS9zxQasFFn6C2354yvyFO0xin+O6jYFrx46Ax5Tx=g@mail.gmail.com>
 <alpine.DEB.2.20.1909031420320.21548@uplift.swm.pp.se>
 <CAA93jw6VxZ4V85qYHWzb1UsLUX6acUu=1oXT6fWVpqnzAWgQUw@mail.gmail.com>
 <875zm9a177.fsf@toke.dk>
 <CAA93jw4RvsbRzmLQwKL1s_hF3J16-tGX0CQrUAn1xzgBRfJ8Hw@mail.gmail.com>
Date: Tue, 03 Sep 2019 17:10:29 +0200
X-Clacks-Overhead: GNU Terry Pratchett
Message-ID: <8736hda00q.fsf@toke.dk>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [Bloat] talking at linux plumbers in portugal next week
X-BeenThere: bloat@lists.bufferbloat.net
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: General list for discussing Bufferbloat <bloat.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/bloat>,
 <mailto:bloat-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/bloat>
List-Post: <mailto:bloat@lists.bufferbloat.net>
List-Help: <mailto:bloat-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/bloat>,
 <mailto:bloat-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Tue, 03 Sep 2019 15:10:31 -0000

Dave Taht <dave.taht@gmail.com> writes:

> On Tue, Sep 3, 2019 at 7:45 AM Toke H=C3=B8iland-J=C3=B8rgensen <toke@tok=
e.dk> wrote:
>>
>> Dave Taht <dave.taht@gmail.com> writes:
>>
>> > On Tue, Sep 3, 2019 at 5:23 AM Mikael Abrahamsson <swmike@swm.pp.se> w=
rote:
>> >>
>> >> On Mon, 2 Sep 2019, Dave Taht wrote:
>> >>
>> >> > with copy-pasted parameters set in the 90s - openwrt's default, las=
t I
>> >> > looked, was 25/sec.
>> >>
>> >> -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit -=
-limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
>> >> -A syn_flood -m comment --comment "!fw3" -j DROP
>> >>
>> >> Well, it's got a burst-size of 50. I agree that this is quite
>> >> conservative.
>> >>
>> >> However, at least in my home we're not seeing drops:
>> >>
>> >> # iptables -nvL | grep -A 4 "Chain syn_flood"
>> >> Chain syn_flood (1 references)
>> >>   pkts bytes target     prot opt in     out     source               =
destination
>> >>   2296  113K RETURN     tcp  --  *      *       0.0.0.0/0            =
0.0.0.0/0            tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3=
 */
>> >>      0     0 DROP       all  --  *      *       0.0.0.0/0            =
0.0.0.0/0            /* !fw3 */
>> >>
>> >> But you might be right that in places with a lot more clients then th=
is
>> >> might indeed cause problems.
>> >
>> > Well, *I* long ago had upped those params by 10x and don't see syn
>> > drops either on my backbone. But I rather suspect the rest of the
>> > world just copy-pasted it. It should scale as a function of bandwidth,
>> > I suppose, or get updated as a side effect of setting QoS - or just
>> > get bumped up. Start a bug over with openwrt? Take a hard look at
>> > other firewall designs?
>>
>> FWIW:
>>
>> # iptables -nvL syn_flood
>> Chain syn_flood (1 references)
>>  pkts bytes target     prot opt in     out     source               dest=
ination
>>  195K   12M RETURN     tcp  --  *      *       0.0.0.0/0            0.0.=
0.0/0            tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */
>>     0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.=
0.0/0            /* !fw3 */
>>
>> # ip6tables -nvL syn_flood
>> Chain syn_flood (1 references)
>>  pkts bytes target     prot opt in     out     source               dest=
ination
>>   396 41508 RETURN     tcp      *      *       ::/0                 ::/0=
                 tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */
>>     0     0 DROP       all      *      *       ::/0                 ::/0=
                 /* !fw3 */
>>
>> rebooted this box today; don't seem to have hit the limit thus far,
>> though... This is on a gigabit link.
>
> Hmm. Try to trigger it with --te=3Dupload_streams=3D200 ?

Sure, that triggers it:

# iptables -nvL syn_flood
Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destina=
tion=20=20=20=20=20=20=20=20=20
 197K   12M RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0=
/0            tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */
  275 16480 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0=
/0            /* !fw3 */


And I get tons of errors from netperf failing to start up.

However, the protection is only actually enabled for the INPUT chain;
i.e., I had to use the router itself as the netperf target to trigger
the rule. So not sure a rule such as this would be the cause of your
coffee shop failures?

This is with the default openwrt config, BTW:


config defaults
        option syn_flood '1'


-Toke