From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-io1-xd44.google.com (mail-io1-xd44.google.com [IPv6:2607:f8b0:4864:20::d44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 9E6E93CB56; Tue, 3 Sep 2019 11:22:05 -0400 (EDT) Received: by mail-io1-xd44.google.com with SMTP id x4so36677662iog.13; Tue, 03 Sep 2019 08:22:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=WV6Ul2NAf70po+OTfNWCy71uyO0p8cmNnYhC+mMMhmo=; b=GKUomrEPmQ+OKzBgsgMkluR8J0s9BiFl7RHWWwNNkqsJnXhPIwAcAc5t6621qWpS9y 26i+w5mjl9h9TYY9UE0BdqmoiQKya50Ni2qO0xjdJdWcd2ONw4VAsjUmFGdGWbtcObX4 B3BdU5ipB0Bs0ysi7dUkP75cZuN4KxZCklBuMA8w8sqI3Q9BQduwyA+mc/bQdLA9iNZG Ga/h4FA10NKtJ4QS8pDpH0h7LE2AJ6d36nfmq30387/DhXQKiTh42LuNCBokCUO1RL8a NqZy5TeCfniOX6/0pviLZMKIqDA31UvT3dWZHUN8iIjjWe7uxW/uPd3/EtBU337PO0k/ tb2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=WV6Ul2NAf70po+OTfNWCy71uyO0p8cmNnYhC+mMMhmo=; b=Y+gcJRoMh90q5yhclw5VjB0NUCoHRRF2jX2Tl26lXnQXRIKqj/hzPwK9kdlB704lMz XqfcwcZBo8tDg+eQ3aTpkOHrtZD/3tkQ+6vQNCFdAZO8medc2pAFhx88+1QBYHmBAwQB ncvbqO4o79szytuDsp4ZVF9LqNaU81gNkxAapN+iDMC+gvAKRW4DP7n0w0DefuPFre4b HIW7UpINezKnPqXfcD+OWHIBK+kzHxnbNcU2CcCg36OR8Lj6xXIuFZ7YYvTmTZz7J2za 9OnLxMKenIT4sTSm4FS1XR6jKVbdJLrebcebH0lWdMT6vPx6Yoh/+Z3vQIbu1U7vRA11 PTCA== X-Gm-Message-State: APjAAAW+pwT+1AqjLQpjKzL4PjCTIxOCpoJ5u43Ftim/Mvnm5sDxK8Ya cEivNF+Uynn1GKRfFHCLNWK0DR4m8fZXErLGaNp4WkZO X-Google-Smtp-Source: APXvYqxD7apNJDHJr8NOtHqVT5xh0RKvrpqvrs92atrI5VnU98b6+uJ9HYgyYsdJNZJgtHF9XdcqYMp8tgelIhq1HXk= X-Received: by 2002:a6b:5a09:: with SMTP id o9mr8864971iob.45.1567524124824; Tue, 03 Sep 2019 08:22:04 -0700 (PDT) MIME-Version: 1.0 References: <875zm9a177.fsf@toke.dk> <8736hda00q.fsf@toke.dk> In-Reply-To: <8736hda00q.fsf@toke.dk> From: Dave Taht Date: Tue, 3 Sep 2019 08:21:53 -0700 Message-ID: To: =?UTF-8?B?VG9rZSBIw7hpbGFuZC1Kw7hyZ2Vuc2Vu?= Cc: Mikael Abrahamsson , cerowrt-devel , bloat Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Subject: Re: [Cerowrt-devel] [Bloat] talking at linux plumbers in portugal next week X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2019 15:22:05 -0000 On Tue, Sep 3, 2019 at 8:10 AM Toke H=C3=B8iland-J=C3=B8rgensen wrote: > > Dave Taht writes: > > > On Tue, Sep 3, 2019 at 7:45 AM Toke H=C3=B8iland-J=C3=B8rgensen wrote: > >> > >> Dave Taht writes: > >> > >> > On Tue, Sep 3, 2019 at 5:23 AM Mikael Abrahamsson = wrote: > >> >> > >> >> On Mon, 2 Sep 2019, Dave Taht wrote: > >> >> > >> >> > with copy-pasted parameters set in the 90s - openwrt's default, l= ast I > >> >> > looked, was 25/sec. > >> >> > >> >> -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit= --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN > >> >> -A syn_flood -m comment --comment "!fw3" -j DROP > >> >> > >> >> Well, it's got a burst-size of 50. I agree that this is quite > >> >> conservative. > >> >> > >> >> However, at least in my home we're not seeing drops: > >> >> > >> >> # iptables -nvL | grep -A 4 "Chain syn_flood" > >> >> Chain syn_flood (1 references) > >> >> pkts bytes target prot opt in out source = destination > >> >> 2296 113K RETURN tcp -- * * 0.0.0.0/0 = 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !f= w3 */ > >> >> 0 0 DROP all -- * * 0.0.0.0/0 = 0.0.0.0/0 /* !fw3 */ > >> >> > >> >> But you might be right that in places with a lot more clients then = this > >> >> might indeed cause problems. > >> > > >> > Well, *I* long ago had upped those params by 10x and don't see syn > >> > drops either on my backbone. But I rather suspect the rest of the > >> > world just copy-pasted it. It should scale as a function of bandwidt= h, > >> > I suppose, or get updated as a side effect of setting QoS - or just > >> > get bumped up. Start a bug over with openwrt? Take a hard look at > >> > other firewall designs? > >> > >> FWIW: > >> > >> # iptables -nvL syn_flood > >> Chain syn_flood (1 references) > >> pkts bytes target prot opt in out source de= stination > >> 195K 12M RETURN tcp -- * * 0.0.0.0/0 0.= 0.0.0/0 tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 *= / > >> 0 0 DROP all -- * * 0.0.0.0/0 0.= 0.0.0/0 /* !fw3 */ > >> > >> # ip6tables -nvL syn_flood > >> Chain syn_flood (1 references) > >> pkts bytes target prot opt in out source de= stination > >> 396 41508 RETURN tcp * * ::/0 ::= /0 tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 *= / > >> 0 0 DROP all * * ::/0 ::= /0 /* !fw3 */ > >> > >> rebooted this box today; don't seem to have hit the limit thus far, > >> though... This is on a gigabit link. > > > > Hmm. Try to trigger it with --te=3Dupload_streams=3D200 ? > > Sure, that triggers it: > > # iptables -nvL syn_flood > Chain syn_flood (1 references) > pkts bytes target prot opt in out source desti= nation > 197K 12M RETURN tcp -- * * 0.0.0.0/0 0.0.0= .0/0 tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */ > 275 16480 DROP all -- * * 0.0.0.0/0 0.0.0= .0/0 /* !fw3 */ > > > And I get tons of errors from netperf failing to start up. > > However, the protection is only actually enabled for the INPUT chain; > i.e., I had to use the router itself as the netperf target to trigger > the rule. So not sure a rule such as this would be the cause of your > coffee shop failures? Good point. I think in the cerowrt case I'd enabled it for all chains and then noticed, and bumped it up. Limiting syn attempts to the router itself makes more sense than doing it on the forward path. The coffee shop tests were fun, but I(we) needed more rigor when doing them. What I'd typically do is go in, get on the wifi, start 6 minutes worth of tests, get in line, get coffee... I would feel a twinge of guilt when I'd start seeing heads pop up from their laptops while running the rrul test, but in two cases I managed to talk to the owner, help 'em get QoS configured right on their router, show'd 'em the difference, and got a free meal out of it... So, it was only discovering that I'd had that 30% rejection figure via the stats on my osx box that I started speculating as to the cause(s), last week. The other big fear is that because OSX is always attempting to negotiate ECN, that that's a cause. A bit more rigor about this and it could turn into a good paper or blog entry, and it's good to get out more for the sake of science, with table service! > > This is with the default openwrt config, BTW: > > > config defaults > option syn_flood '1' > > > -Toke --=20 Dave T=C3=A4ht CTO, TekLibre, LLC http://www.teklibre.com Tel: 1-831-205-9740