[Cerowrt-devel] Field Report - installing 3.8.13-7
dave.taht at gmail.com
Sun Jun 16 18:35:21 EDT 2013
On Sun, Jun 16, 2013 at 3:29 PM, Toke Høiland-Jørgensen <toke at toke.dk> wrote:
> Rich Brown <richb.hanover at gmail.com> writes:
>> As noted above, 6in4 addresses seem to work, however, I did see a lot
>> of error messages as a result of running the 6in4 tunnel configuration
>> script. I've attached it to see if there's anything amiss…
I'm still looking for benchmark data on the rrul test over 6in4.
I spoke to a hurricane guy about how they do tunnelling, I think there
is some fq_codel work to be done over there to help their gateways out
in the long run.
> Have never used the 6in4 script, but a few of the messages have to do
> with the new firewall script:
>> Warning: Option @defaults.synflood_rate has invalid value '200'
> This is because the value is wrong. It should be '200/s' and not '200'.
It used to be right.
> That's a bug, I believe (though a minor one). Fixed in git; you can
THX! Polishing up the fenders...
> manually add the /s in your /etc/config/firewall if you want to shut it
> up. :)
I note that in older versions of openwrt the synflood rate was set
very low, low enough to be triggered by benchmarks like google
chrome's web page benchmark. I don't know the default now.
Worse, fixed rate limits like this don't scale up or down well. There
are similar fixed rate limits for ipv6 icmp traffic (which cero
doesn't do) in the default openwrt firewall rules. I would definately
argue that icmp and icmpv6 should be rate limited as a percentage of
your overall bandwidth and/or tossed into a special fq_codel class
and/or classified background, as someone doing a fast ping probe from
a fast host of your entire /48 will eat your entire uplink easily
without some limits in place.
>> Warning: Section @rule (domain) does not specify a protocol,
>> assuming TCP+UDP
> The new firewall script complains when no protocol is set, but it does
> the right thing, so not really sure if I would call it a bug; should be
> fixed in git as well, though.
> The rest of the output is because the new firewall is more verbose than
> the old one.
> Cerowrt-devel mailing list
> Cerowrt-devel at lists.bufferbloat.net
Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html
More information about the Cerowrt-devel