Open booo opened 7 years ago
checking the recent sources (https://git.lede-project.org/?p=project/firewall3.git;a=summary, https://git.lede-project.org/?p=source.git;a=summary) there is no reference to option ip_conntrack_max
or any other of section config advanced
.
In https://git.lede-project.org/?p=project/firewall3.git;a=commit;h=99499fdbe5221847288a6d18edf1032d2702cff9 the tcp_westwood
was removed.
I assume the whole "advanced" section is deprecated.
I'm not sure how @pmelange made this configs and got these options from. A fresh build vanilla-lede is not having this section also.
to me it looks more that out firewall defaults are outdated ... https://github.com/freifunk-berlin/firmware-packages/search?utf8=%E2%9C%93&q=tcp_ecn&type=
Yes, seems like we should update our firewall defaults.
I still consider this a bug because we want to set some options and actually don't set them.
I didn't add the firewall optional manually. It must have been automagically done. I agree, the automagical firewall is a mess. See issue #447.
Seems like the section is now called defaults
: https://lede-project.org/docs/user-guide/firewall_configuration
But I can't find a conntrack_max option.
I will rename the section and remove the conntrack_max option. I think ~16k is a good standard value. Let us consider a increase of the default value later on in the process.
We enable tcp_westwood
in our configuration. Does this make sense after all?
The syn_flood
option was renamed to synflood_protect
. We set the default value explicitly. I think we can remove this and work with the default value.
As @SvenRoederer mentioned westwood was removed 2013, so no need for settings. Here is the default values of LEDE for conntrack: https://github.com/lede-project/source/blob/7765e442d04e4c19690f81084a9726776aea8b76/package/base-files/files/etc/sysctl.conf
This is may be ok with us or?
Seems like the section is now called defaults: https://lede-project.org/docs/user-guide/firewall_configuration
But I can't find a conntrack_max option.
It's almost there, search for conntrack instead of conntrack_max as it is only an option of conntrack. s.a. https://lede-project.org/docs/user-guide/firewall_configuration#notes_on_connection_tracking
To me it looks like the whole firewalling needs an update. But as there seems to be no real bug, we should have a look into this in an other moment and concentrate on release-blocking issues for now. Which this itn't, so I'll remove the "Hedy-1.0.0" milestone.
Would somebody like to solve this?
@booo where did u want to set it? The actual configuration even doesn't show a network/firewall in luci. Now it's set in /etc/sysctl.conf and working. Some additional information on conntrack_max is found here Can we track down a solution for the conntrack-stuff and close this?
On
Firmware Berlin (Hedy 1.0.0-olsrd0903-alpha rev 0d3a4c6) Generic - ar71xx/generic
aka. Schwalbenweg18-core.olsr the firewall configuration uses the optionip_conntrack_max
:Output from
sysctl -a | grep conntrack
:Seems like the option does not work. Current workaround is using /etc/sysctl.conf.