From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-io1-xd41.google.com (mail-io1-xd41.google.com [IPv6:2607:f8b0:4864:20::d41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 6192A3CB3F; Tue, 3 Sep 2019 10:21:39 -0400 (EDT) Received: by mail-io1-xd41.google.com with SMTP id d25so33741948iob.6; Tue, 03 Sep 2019 07:21:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=d0mWsuCvJI9WPTIwGpY897YQ/jxLoY1shJ7XTKWbpGQ=; b=hN1PNIPyMjromVye8dvZyZVCxi1qZqkZW5Uq3grfMawJwRfmmnnW4hu5TAomjHZ36R XAZTk5qjV38LaL1ORuVa29B0IdqZHuDr4x1Ap1w0z2FEKrgMlh/GmmawnflIzdRlww6f sj16HEhRScsV6D3E3MK65T/uEReotb9Swn55VYKBMzNBT259gpgrR9JqjJ7fvud8R9Vt 5zcOYgB+ogXbBrmglT27pa8utQfmDhW1aBEK12PEW25D4qNPd4LIM4qPzhuS8qrSppPz KDQP2y6rU1holdqjlEnM75j2WB/Uosw7xA6h6i89zUX5CUOvMRQsOzl8BlJdKdvPpCrR cbbQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=d0mWsuCvJI9WPTIwGpY897YQ/jxLoY1shJ7XTKWbpGQ=; b=iB3XfsUTxv4y/hyz17loBngpnH1ah4f2hN1XHpldDuTtw4KBfQu8lCz/fcFzeoP9ip mfy7qeA9ULQi7NffVgNLFGUY3qfSJ/V3PWeRlndnCga5jvyzWDTg3tdxxF6I28+AbLom ihx9nxjrEEM+neBAqa7GLBkKzIaBBJkbONgcguFuFw0OQY8obqVw2P81W4W0BSEUa9Gd NA3HSqOTYWmQma+1sR/P6vXZY0P87imPuDIHtTqpm6atPvy91yS+2J081k1F2lPKl9p1 2i3EzaCD9JmRH7KYdU7ewmNTaQsFkGZVuhbnX1xD2mnWN5TM4Fl163wh8/WeKTax5mCF WYRA== X-Gm-Message-State: APjAAAULJHULpoPCsYqEJZIEWeqOH9gwCyWV1ttbsxydUOosVcdBV9h2 le5a8XkRxzXNQz15Fs+zRTYwNG046bcmpESoYrBueK92SZQ= X-Google-Smtp-Source: APXvYqxdkz/ta3Ok+BFSVBfofvvYbG9cqfFODUs6x+mSYJ/mYhwRBGZGidEgducU9F02uiQv7Gbdy7N9DUm8b6WEb2Y= X-Received: by 2002:a6b:9107:: with SMTP id t7mr36713335iod.150.1567520498725; Tue, 03 Sep 2019 07:21:38 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Dave Taht Date: Tue, 3 Sep 2019 07:21:26 -0700 Message-ID: To: Mikael Abrahamsson Cc: bloat , cerowrt-devel Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Subject: Re: [Cerowrt-devel] [Bloat] talking at linux plumbers in portugal next week X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Sep 2019 14:21:39 -0000 On Tue, Sep 3, 2019 at 5:23 AM Mikael Abrahamsson wrote: > > On Mon, 2 Sep 2019, Dave Taht wrote: > > > with copy-pasted parameters set in the 90s - openwrt's default, last I > > looked, was 25/sec. > > -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --lim= it 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN > -A syn_flood -m comment --comment "!fw3" -j DROP > > Well, it's got a burst-size of 50. I agree that this is quite > conservative. > > However, at least in my home we're not seeing drops: > > # iptables -nvL | grep -A 4 "Chain syn_flood" > Chain syn_flood (1 references) > pkts bytes target prot opt in out source dest= ination > 2296 113K RETURN tcp -- * * 0.0.0.0/0 0.0.= 0.0/0 tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */ > 0 0 DROP all -- * * 0.0.0.0/0 0.0.= 0.0/0 /* !fw3 */ > > But you might be right that in places with a lot more clients then this > might indeed cause problems. Well, *I* long ago had upped those params by 10x and don't see syn drops either on my backbone. But I rather suspect the rest of the world just copy-pasted it. It should scale as a function of bandwidth, I suppose, or get updated as a side effect of setting QoS - or just get bumped up. Start a bug over with openwrt? Take a hard look at other firewall designs? Like I said, though, my big question was is there a browser stat or some other easily accessible stat to see how often syns are rejected? Another context for this was syn negotiation with ecn on and the fallback. Interestingly, I've also seen a pretty big uptick in ecn marking over the last year or so, on one uplink (we do have a lot of guests that run apple gear), it's now at over 10% of of the drop ratio on outbound. This box is - I hope - the last cerowrt box running in the universe - and the only reason it ever goes down is because of a long duration power failure. I've been meaning to replace it for ages... root@lounge:~# uptime 07:14:53 up 55 days, 17:14, load average: 0.16, 0.09, 0.10 outbound: qdisc fq_codel 120: parent 1:12 limit 1001p flows 1024 quantum 300 target 5.0ms interval 100.0ms ecn Sent 159378714029 bytes 1038654784 pkt (dropped 426065, overlimits 0 requeues 0) backlog 0b 0p requeues 0 maxpacket 1514 drop_overlimit 0 new_flow_count 213282954 ecn_mark 48220 new_flows_len 0 old_flows_len 1 inbound: (where comcast remarks most packets to CS1) qdisc fq_codel 120: parent 1:12 limit 1001p flows 1024 quantum 1500 target 5.0ms interval 100.0ms ecn Sent 40391986695 bytes 34710741 pkt (dropped 420, overlimits 0 requeues 0) backlog 0b 0p requeues 0 maxpacket 1514 drop_overlimit 0 new_flow_count 5687382 ecn_mark 0 new_flows_len 0 old_flows_len 2 qdisc fq_codel 130: parent 1:13 limit 1001p flows 1024 quantum 300 target 5.0ms interval 100.0ms ecn Sent 2285974845172 bytes 1748071724 pkt (dropped 61231, overlimits 0 requeues 0) backlog 0b 0p requeues 0 maxpacket 1514 drop_overlimit 0 new_flow_count 229072930 ecn_mark 344 new_flows_len 0 old_flows_len 1 > > -- > Mikael Abrahamsson email: swmike@swm.pp.se --=20 Dave T=C3=A4ht CTO, TekLibre, LLC http://www.teklibre.com Tel: 1-831-205-9740