General list for discussing Bufferbloat
 help / color / mirror / Atom feed
From: Dave Taht <dave.taht@gmail.com>
To: "Toke Høiland-Jørgensen" <toke@toke.dk>
Cc: Mikael Abrahamsson <swmike@swm.pp.se>,
	cerowrt-devel <cerowrt-devel@lists.bufferbloat.net>,
	 bloat <bloat@lists.bufferbloat.net>
Subject: Re: [Bloat] talking at linux plumbers in portugal next week
Date: Tue, 3 Sep 2019 08:21:53 -0700	[thread overview]
Message-ID: <CAA93jw5Rzgin-TeOB7DRDR9EY34tUUVgT6MoA6aez+4_vfd+TA@mail.gmail.com> (raw)
In-Reply-To: <8736hda00q.fsf@toke.dk>

On Tue, Sep 3, 2019 at 8:10 AM Toke Høiland-Jørgensen <toke@toke.dk> wrote:
>
> Dave Taht <dave.taht@gmail.com> writes:
>
> > On Tue, Sep 3, 2019 at 7:45 AM Toke Høiland-Jørgensen <toke@toke.dk> wrote:
> >>
> >> Dave Taht <dave.taht@gmail.com> writes:
> >>
> >> > On Tue, Sep 3, 2019 at 5:23 AM Mikael Abrahamsson <swmike@swm.pp.se> wrote:
> >> >>
> >> >> On Mon, 2 Sep 2019, Dave Taht wrote:
> >> >>
> >> >> > with copy-pasted parameters set in the 90s - openwrt's default, last I
> >> >> > looked, was 25/sec.
> >> >>
> >> >> -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
> >> >> -A syn_flood -m comment --comment "!fw3" -j DROP
> >> >>
> >> >> Well, it's got a burst-size of 50. I agree that this is quite
> >> >> conservative.
> >> >>
> >> >> However, at least in my home we're not seeing drops:
> >> >>
> >> >> # iptables -nvL | grep -A 4 "Chain syn_flood"
> >> >> Chain syn_flood (1 references)
> >> >>   pkts bytes target     prot opt in     out     source               destination
> >> >>   2296  113K RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */
> >> >>      0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
> >> >>
> >> >> But you might be right that in places with a lot more clients then this
> >> >> might indeed cause problems.
> >> >
> >> > Well, *I* long ago had upped those params by 10x and don't see syn
> >> > drops either on my backbone. But I rather suspect the rest of the
> >> > world just copy-pasted it. It should scale as a function of bandwidth,
> >> > I suppose, or get updated as a side effect of setting QoS - or just
> >> > get bumped up. Start a bug over with openwrt? Take a hard look at
> >> > other firewall designs?
> >>
> >> FWIW:
> >>
> >> # iptables -nvL syn_flood
> >> Chain syn_flood (1 references)
> >>  pkts bytes target     prot opt in     out     source               destination
> >>  195K   12M RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */
> >>     0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
> >>
> >> # ip6tables -nvL syn_flood
> >> Chain syn_flood (1 references)
> >>  pkts bytes target     prot opt in     out     source               destination
> >>   396 41508 RETURN     tcp      *      *       ::/0                 ::/0                 tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */
> >>     0     0 DROP       all      *      *       ::/0                 ::/0                 /* !fw3 */
> >>
> >> rebooted this box today; don't seem to have hit the limit thus far,
> >> though... This is on a gigabit link.
> >
> > Hmm. Try to trigger it with --te=upload_streams=200 ?
>
> Sure, that triggers it:
>
> # iptables -nvL syn_flood
> Chain syn_flood (1 references)
>  pkts bytes target     prot opt in     out     source               destination
>  197K   12M RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */
>   275 16480 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
>
>
> And I get tons of errors from netperf failing to start up.
>
> However, the protection is only actually enabled for the INPUT chain;
> i.e., I had to use the router itself as the netperf target to trigger
> the rule. So not sure a rule such as this would be the cause of your
> coffee shop failures?

Good point. I think in the cerowrt case I'd enabled it for all chains
and then noticed, and bumped it up. Limiting syn attempts to the
router itself makes more sense than doing it on the forward path.

The coffee shop tests were fun, but I(we) needed more rigor when doing
them. What I'd typically do is go in,
get on the wifi, start 6 minutes worth of tests, get in line, get
coffee... I would feel a twinge of guilt when I'd
start seeing heads pop up from their laptops while running the rrul
test, but in two cases I managed to talk to
the owner, help 'em get QoS configured right on their router, show'd
'em the difference, and got a free meal out of it...

So, it was only discovering that I'd had that 30% rejection figure via
the stats on my osx box that I started speculating
as to the cause(s), last week. The other big fear is that because OSX
is always attempting to negotiate ECN, that that's a cause.

A bit more rigor about this and it could turn into a good paper or
blog entry, and it's good to get out more for the
sake of science, with table service!




>
> This is with the default openwrt config, BTW:
>
>
> config defaults
>         option syn_flood '1'
>
>
> -Toke



-- 

Dave Täht
CTO, TekLibre, LLC
http://www.teklibre.com
Tel: 1-831-205-9740

  reply	other threads:[~2019-09-03 15:22 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-09-03  0:47 Dave Taht
2019-09-03 12:23 ` Mikael Abrahamsson
2019-09-03 14:21   ` Dave Taht
2019-09-03 14:35     ` [Bloat] Revising the synflood limit Dave Taht
2019-09-10 18:08       ` [Bloat] [Cerowrt-devel] " Maciej Sołtysiak
2019-09-10 22:35         ` Dave Taht
2019-09-23  9:37           ` Maciej Sołtysiak
2019-09-03 14:45     ` [Bloat] talking at linux plumbers in portugal next week Toke Høiland-Jørgensen
2019-09-03 14:47       ` Dave Taht
2019-09-03 15:10         ` Toke Høiland-Jørgensen
2019-09-03 15:21           ` Dave Taht [this message]
2019-09-03 15:22     ` [Bloat] [Cerowrt-devel] " Sebastian Moeller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://lists.bufferbloat.net/postorius/lists/bloat.lists.bufferbloat.net/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAA93jw5Rzgin-TeOB7DRDR9EY34tUUVgT6MoA6aez+4_vfd+TA@mail.gmail.com \
    --to=dave.taht@gmail.com \
    --cc=bloat@lists.bufferbloat.net \
    --cc=cerowrt-devel@lists.bufferbloat.net \
    --cc=swmike@swm.pp.se \
    --cc=toke@toke.dk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox