‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Friday, December 18, 2020 10:48 AM, Stuart Henderson <[email protected]> wrote:
> It's something like "what % of max allowed states is half-open tcp". > Watch out as there are some bugs in this area, definitely thewith > accounting of half-open connections can be wildly off sometimes > (triggering adaptive syncookies when they shouldn't really be triggered) > and I think also with the behaviour when they're active, I have had > it trigger spuriously and then a bunch of connections failing when > triggered, so monitor it carefully if you enable this. Thank you for your precisions. This means that if I want to start using syncookies when I have over 40'000 half-open tcp states and stop using it when it is back down to 30'000 halt-open tcp states I would use the following pf.conf parameter: set syncookies adaptive (start 4%, end 3%) Note that my max allowed states is set to 1'000'000. I guess this is better even if somehow imprecise than having syncookies set to "always"... What is the best way to monitor the usage of adaptive syncookies? In the output of "pfctl -si" I don't see any relevant metric for syncookies.
