On Sun, Jun 16, 2013 at 3:29 PM, Toke Høiland-Jørgensen <t...@toke.dk> wrote: > Rich Brown <richb.hano...@gmail.com> writes: > >> As noted above, 6in4 addresses seem to work, however, I did see a lot >> of error messages as a result of running the 6in4 tunnel configuration >> script. I've attached it to see if there's anything amiss…
I'm still looking for benchmark data on the rrul test over 6in4. I spoke to a hurricane guy about how they do tunnelling, I think there is some fq_codel work to be done over there to help their gateways out in the long run. > Have never used the 6in4 script, but a few of the messages have to do > with the new firewall script: > >> Warning: Option @defaults[0].synflood_rate has invalid value '200' > > This is because the value is wrong. It should be '200/s' and not '200'. It used to be right. > That's a bug, I believe (though a minor one). Fixed in git; you can THX! Polishing up the fenders... > manually add the /s in your /etc/config/firewall if you want to shut it > up. :) I note that in older versions of openwrt the synflood rate was set very low, low enough to be triggered by benchmarks like google chrome's web page benchmark. I don't know the default now. Worse, fixed rate limits like this don't scale up or down well. There are similar fixed rate limits for ipv6 icmp traffic (which cero doesn't do) in the default openwrt firewall rules. I would definately argue that icmp and icmpv6 should be rate limited as a percentage of your overall bandwidth and/or tossed into a special fq_codel class and/or classified background, as someone doing a fast ping probe from a fast host of your entire /48 will eat your entire uplink easily without some limits in place. > >> Warning: Section @rule[0] (domain) does not specify a protocol, >> assuming TCP+UDP > > The new firewall script complains when no protocol is set, but it does > the right thing, so not really sure if I would call it a bug; should be > fixed in git as well, though. > > The rest of the output is because the new firewall is more verbose than > the old one. > > -Toke > > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel > -- Dave Täht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html _______________________________________________ Cerowrt-devel mailing list Cerowrt-devel@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cerowrt-devel
