From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-io1-xd42.google.com (mail-io1-xd42.google.com [IPv6:2607:f8b0:4864:20::d42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id ECD113CB3F; Tue, 3 Sep 2019 10:47:29 -0400 (EDT) Received: by mail-io1-xd42.google.com with SMTP id h144so21141600iof.7; Tue, 03 Sep 2019 07:47:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=TuVTw9MgHT3gSS41ka4iG3Jx7k9AmzAz4ScTg4gXyvc=; b=k0Zq+KxTcDsj3xiJrWMg1mtbcLtkW7fEqO/IH8x8ObDpIOzi4EUgq5YaUTgDchkk2a SOXmUXycC4NSDxvptaaFlfsGuyPoUaS+uEFRf+8DEG2yYh/WMm4Oe/Ep0WN3biA5Jkbw h4H+zLZ+IZ2ASgx5p+bQQqoAUmsSkcVliIZIo2RHwuMNGKnYGH4JadUra8ZxjQra/riN K/G8NHjjYV/YzHmuWCQPOB4QFsUJlAXscMPGI3+OpxszsM6198GHknJ3WyU3+I9HDA1u nXLTbpAHqT3Y+wNLvuM2FCgMhklhzblTvx1lhy//MA7V453F7z1k3+CnlzgQJoJQz2wG 3OAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=TuVTw9MgHT3gSS41ka4iG3Jx7k9AmzAz4ScTg4gXyvc=; b=OcLd7mTl/KSYWgCDq1vUmyS7fc2HUqnOlSGicvlj7IKy74KSClS7FGEMwRETD3uhy7 xU7w5wCzCmwUqNQQzGi7AXUAzJKnLMwCCGZguz3UAajsaWlnHc34NIN1cemfjX5s4hO1 gzc36K7HMjeMaOJV9chHlK+f0DKTQHUYSyiAWWcjO0XOPzoOgmGKokasftKCw+xMdYjU 31pRJxAnGuHfhgUieoBWXiaXNaedscl/fHl3TJDS+TMFTdhceP0Jg0LOKPXP74D7l9at g8YwEa5Soj+ZoUttJJMm74GWYMqFWnD7kiAIHyGsWQZLBbJYHn23FtQdvAUcnipsvieb wWNQ== X-Gm-Message-State: APjAAAWPQD4dL/a7+XQ34KtiZvDOx3sjsNYTHjHbHJ4dHQQXH/Q2a8bP 9aSrrV6nNw4xYWSlnb4k8U2UMvF60IBpnVrW5X4= X-Google-Smtp-Source: APXvYqxSwn5v1XN0Hd3YNO0GsjwdtWUlywMVjnvUpqH9v/mmpF5RHfSjUDyqv6yGVAC/WqTWcPnjzg9jdGmnYCukdJI= X-Received: by 2002:a02:716a:: with SMTP id n42mr12113306jaf.38.1567522049355; Tue, 03 Sep 2019 07:47:29 -0700 (PDT) MIME-Version: 1.0 References: <875zm9a177.fsf@toke.dk> In-Reply-To: <875zm9a177.fsf@toke.dk> From: Dave Taht Date: Tue, 3 Sep 2019 07:47:18 -0700 Message-ID: To: =?UTF-8?B?VG9rZSBIw7hpbGFuZC1Kw7hyZ2Vuc2Vu?= Cc: Mikael Abrahamsson , cerowrt-devel , bloat Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Subject: Re: [Cerowrt-devel] [Bloat] talking at linux plumbers in portugal next week X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2019 14:47:30 -0000 On Tue, Sep 3, 2019 at 7:45 AM Toke H=C3=B8iland-J=C3=B8rgensen wrote: > > Dave Taht writes: > > > On Tue, Sep 3, 2019 at 5:23 AM Mikael Abrahamsson wr= ote: > >> > >> On Mon, 2 Sep 2019, Dave Taht wrote: > >> > >> > with copy-pasted parameters set in the 90s - openwrt's default, last= I > >> > looked, was 25/sec. > >> > >> -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --= limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN > >> -A syn_flood -m comment --comment "!fw3" -j DROP > >> > >> Well, it's got a burst-size of 50. I agree that this is quite > >> conservative. > >> > >> However, at least in my home we're not seeing drops: > >> > >> # iptables -nvL | grep -A 4 "Chain syn_flood" > >> Chain syn_flood (1 references) > >> pkts bytes target prot opt in out source d= estination > >> 2296 113K RETURN tcp -- * * 0.0.0.0/0 0= .0.0.0/0 tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 = */ > >> 0 0 DROP all -- * * 0.0.0.0/0 0= .0.0.0/0 /* !fw3 */ > >> > >> But you might be right that in places with a lot more clients then thi= s > >> might indeed cause problems. > > > > Well, *I* long ago had upped those params by 10x and don't see syn > > drops either on my backbone. But I rather suspect the rest of the > > world just copy-pasted it. It should scale as a function of bandwidth, > > I suppose, or get updated as a side effect of setting QoS - or just > > get bumped up. Start a bug over with openwrt? Take a hard look at > > other firewall designs? > > FWIW: > > # iptables -nvL syn_flood > Chain syn_flood (1 references) > pkts bytes target prot opt in out source desti= nation > 195K 12M RETURN tcp -- * * 0.0.0.0/0 0.0.0= .0/0 tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */ > 0 0 DROP all -- * * 0.0.0.0/0 0.0.0= .0/0 /* !fw3 */ > > # ip6tables -nvL syn_flood > Chain syn_flood (1 references) > pkts bytes target prot opt in out source desti= nation > 396 41508 RETURN tcp * * ::/0 ::/0 = tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */ > 0 0 DROP all * * ::/0 ::/0 = /* !fw3 */ > > rebooted this box today; don't seem to have hit the limit thus far, > though... This is on a gigabit link. Hmm. Try to trigger it with --te=3Dupload_streams=3D200 ? > > -Toke --=20 Dave T=C3=A4ht CTO, TekLibre, LLC http://www.teklibre.com Tel: 1-831-205-9740