From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.toke.dk (mail.toke.dk [52.28.52.200]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 90DB53CB3F; Tue, 3 Sep 2019 10:45:02 -0400 (EDT) From: Toke =?utf-8?Q?H=C3=B8iland-J=C3=B8rgensen?= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=toke.dk; s=20161023; t=1567521901; bh=Q+RpidB3xJqQ7zmZQmP0zZFHaf9knRewrcYf2XcWrgE=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=VWu6xwUlqQuuVHtDv6LuGtPjIuZasDcauKyLGis2wTbBTZWRGXa29+E9zXNsPVx+U CNpXekdbGVi0KSVoVxJetbIN1qtGOsVux5WcIapWeUiRbY+z9wfne16aPCKho/w2X3 VbeRaI6+jhVQrlw1qid9/DugN1cPY+H5wIVXfmSoKbUSxBAcFZFWWc20IhrjoRhE47 Jay3hzGrgDtjnD4JFVzMpXWoXQPZ/PUO69KHMvGicFjjw7sAlQInX06rJs0n1yQmBA sXM3HCRXujGy0vR3Pl9++UO0wu0NQD7gTeEKiR3+/jluwNBTLTZXKFDT/eHf/jomh2 t0thN3i6G+iCQ== To: Dave Taht , Mikael Abrahamsson Cc: cerowrt-devel , bloat In-Reply-To: References: Date: Tue, 03 Sep 2019 16:45:00 +0200 X-Clacks-Overhead: GNU Terry Pratchett Message-ID: <875zm9a177.fsf@toke.dk> MIME-Version: 1.0 Content-Type: text/plain Subject: Re: [Bloat] talking at linux plumbers in portugal next week X-BeenThere: bloat@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: General list for discussing Bufferbloat List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2019 14:45:02 -0000 Dave Taht writes: > On Tue, Sep 3, 2019 at 5:23 AM Mikael Abrahamsson wrote: >> >> On Mon, 2 Sep 2019, Dave Taht wrote: >> >> > with copy-pasted parameters set in the 90s - openwrt's default, last I >> > looked, was 25/sec. >> >> -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN >> -A syn_flood -m comment --comment "!fw3" -j DROP >> >> Well, it's got a burst-size of 50. I agree that this is quite >> conservative. >> >> However, at least in my home we're not seeing drops: >> >> # iptables -nvL | grep -A 4 "Chain syn_flood" >> Chain syn_flood (1 references) >> pkts bytes target prot opt in out source destination >> 2296 113K RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */ >> 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */ >> >> But you might be right that in places with a lot more clients then this >> might indeed cause problems. > > Well, *I* long ago had upped those params by 10x and don't see syn > drops either on my backbone. But I rather suspect the rest of the > world just copy-pasted it. It should scale as a function of bandwidth, > I suppose, or get updated as a side effect of setting QoS - or just > get bumped up. Start a bug over with openwrt? Take a hard look at > other firewall designs? FWIW: # iptables -nvL syn_flood Chain syn_flood (1 references) pkts bytes target prot opt in out source destination 195K 12M RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */ 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */ # ip6tables -nvL syn_flood Chain syn_flood (1 references) pkts bytes target prot opt in out source destination 396 41508 RETURN tcp * * ::/0 ::/0 tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */ 0 0 DROP all * * ::/0 ::/0 /* !fw3 */ rebooted this box today; don't seem to have hit the limit thus far, though... This is on a gigabit link. -Toke