From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.toke.dk (mail.toke.dk [52.28.52.200]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 55FF53CB3F; Tue, 3 Sep 2019 11:10:31 -0400 (EDT) From: Toke =?utf-8?Q?H=C3=B8iland-J=C3=B8rgensen?= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=toke.dk; s=20161023; t=1567523430; bh=fr1f/yD6OMJNsOIzg60ynTzKnAcoAqDO0luqnUH1drU=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=EVuXnFkwQMgUzKMBs9Kyi8xQbQAG3EeF7PHsmxz8v+DE0OUQydnw9MnAhL/IR3lW0 d0o1okgHfsf4LCiRLxJg9xAnoicMiRXwMUiqn7liSz56YOUqOUKCqZwg1TKAIqtB5E QZkYSGcZu8JxdVirHCISvDyExBgm4GjjeEZWGzn2tvb0nhNxq1lo24Uq7p3UE3l2k+ pIbp/xh+Cd8KNouHQdgHAI1jWPs7g35IWTTsS6kUuxOeSjnZG3TjOgKzvQV1lCY6l+ QhFPSqgABdcXQ+ub9/GeGnlC8OWNnPVwMS48ACu/vIZP9sP2k3ku00RlGcYLt9QiWe JtmZhnK2Dy2rg== To: Dave Taht Cc: Mikael Abrahamsson , cerowrt-devel , bloat In-Reply-To: References: <875zm9a177.fsf@toke.dk> Date: Tue, 03 Sep 2019 17:10:29 +0200 X-Clacks-Overhead: GNU Terry Pratchett Message-ID: <8736hda00q.fsf@toke.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [Bloat] talking at linux plumbers in portugal next week X-BeenThere: bloat@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: General list for discussing Bufferbloat List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2019 15:10:31 -0000 Dave Taht writes: > On Tue, Sep 3, 2019 at 7:45 AM Toke H=C3=B8iland-J=C3=B8rgensen wrote: >> >> Dave Taht writes: >> >> > On Tue, Sep 3, 2019 at 5:23 AM Mikael Abrahamsson w= rote: >> >> >> >> On Mon, 2 Sep 2019, Dave Taht wrote: >> >> >> >> > with copy-pasted parameters set in the 90s - openwrt's default, las= t I >> >> > looked, was 25/sec. >> >> >> >> -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit -= -limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN >> >> -A syn_flood -m comment --comment "!fw3" -j DROP >> >> >> >> Well, it's got a burst-size of 50. I agree that this is quite >> >> conservative. >> >> >> >> However, at least in my home we're not seeing drops: >> >> >> >> # iptables -nvL | grep -A 4 "Chain syn_flood" >> >> Chain syn_flood (1 references) >> >> pkts bytes target prot opt in out source = destination >> >> 2296 113K RETURN tcp -- * * 0.0.0.0/0 = 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3= */ >> >> 0 0 DROP all -- * * 0.0.0.0/0 = 0.0.0.0/0 /* !fw3 */ >> >> >> >> But you might be right that in places with a lot more clients then th= is >> >> might indeed cause problems. >> > >> > Well, *I* long ago had upped those params by 10x and don't see syn >> > drops either on my backbone. But I rather suspect the rest of the >> > world just copy-pasted it. It should scale as a function of bandwidth, >> > I suppose, or get updated as a side effect of setting QoS - or just >> > get bumped up. Start a bug over with openwrt? Take a hard look at >> > other firewall designs? >> >> FWIW: >> >> # iptables -nvL syn_flood >> Chain syn_flood (1 references) >> pkts bytes target prot opt in out source dest= ination >> 195K 12M RETURN tcp -- * * 0.0.0.0/0 0.0.= 0.0/0 tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */ >> 0 0 DROP all -- * * 0.0.0.0/0 0.0.= 0.0/0 /* !fw3 */ >> >> # ip6tables -nvL syn_flood >> Chain syn_flood (1 references) >> pkts bytes target prot opt in out source dest= ination >> 396 41508 RETURN tcp * * ::/0 ::/0= tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */ >> 0 0 DROP all * * ::/0 ::/0= /* !fw3 */ >> >> rebooted this box today; don't seem to have hit the limit thus far, >> though... This is on a gigabit link. > > Hmm. Try to trigger it with --te=3Dupload_streams=3D200 ? Sure, that triggers it: # iptables -nvL syn_flood Chain syn_flood (1 references) pkts bytes target prot opt in out source destina= tion=20=20=20=20=20=20=20=20=20 197K 12M RETURN tcp -- * * 0.0.0.0/0 0.0.0.0= /0 tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */ 275 16480 DROP all -- * * 0.0.0.0/0 0.0.0.0= /0 /* !fw3 */ And I get tons of errors from netperf failing to start up. However, the protection is only actually enabled for the INPUT chain; i.e., I had to use the router itself as the netperf target to trigger the rule. So not sure a rule such as this would be the cause of your coffee shop failures? This is with the default openwrt config, BTW: config defaults option syn_flood '1' -Toke