From 8b87654075d954043d710596940426fb62b79ef9 Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Sun, 22 Jun 2025 22:06:29 -0400
Subject: [PATCH] scale synproxy threshold based on conntrack max

---
 deploy-initial                         | 4 +++-
 etc/nftables/nftables-attestation.conf | 2 +-
 etc/nftables/nftables-discuss.conf     | 2 +-
 etc/nftables/nftables-mail.conf        | 2 +-
 etc/nftables/nftables-matrix.conf      | 2 +-
 etc/nftables/nftables-network.conf     | 2 +-
 etc/nftables/nftables-ns1.conf         | 2 +-
 etc/nftables/nftables-ns2.conf         | 2 +-
 etc/nftables/nftables-social.conf      | 2 +-
 etc/nftables/nftables-web.conf         | 2 +-
 10 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/deploy-initial b/deploy-initial
index 74c069a..d2fe639 100755
--- a/deploy-initial
+++ b/deploy-initial
@@ -58,7 +58,9 @@ sed -i "s/{{ssh_users}}/${hosts_ssh_users[$host]:-root}/g" etc/ssh/sshd_config.t
 rsync -cv etc/ssh/sshd_config.tmp $remote:/mnt/etc/ssh/sshd_config
 rm etc/ssh/sshd_config.tmp
 
-rsync -cv etc/nftables/nftables-${hosts_firewall[$host]:-web}.conf $remote:/mnt/etc/nftables.conf
+synproxy_threshold=$(( ${hosts_conntrack_size[$host]} / 64 ))
+sed "s/{{synproxy_threshold}}/$synproxy_threshold/g" etc/nftables/nftables-${hosts_firewall[$host]:-web}.conf >tmp
+rsync -cv tmp $remote:/mnt/etc/nftables.conf
 
 ssh $remote "arch-chroot /mnt systemctl enable chronyd.service fstrim.timer logrotate.timer nftables.service systemd-networkd.service systemd-oomd.service sshd.service sysstat.service unbound.service"
 ssh $remote "arch-chroot /mnt systemctl disable remote-fs.target systemd-network-generator.service systemd-userdbd.socket"
diff --git a/etc/nftables/nftables-attestation.conf b/etc/nftables/nftables-attestation.conf
index 816d7dc..b865562 100644
--- a/etc/nftables/nftables-attestation.conf
+++ b/etc/nftables/nftables-attestation.conf
@@ -38,7 +38,7 @@ table inet filter {
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
         # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept
 
         meta l4proto { tcp, udp } accept
         icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
diff --git a/etc/nftables/nftables-discuss.conf b/etc/nftables/nftables-discuss.conf
index fd112e4..c9be78b 100644
--- a/etc/nftables/nftables-discuss.conf
+++ b/etc/nftables/nftables-discuss.conf
@@ -38,7 +38,7 @@ table inet filter {
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
         # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept
 
         meta l4proto { tcp, udp } accept
         icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
diff --git a/etc/nftables/nftables-mail.conf b/etc/nftables/nftables-mail.conf
index d7d4805..058cf08 100644
--- a/etc/nftables/nftables-mail.conf
+++ b/etc/nftables/nftables-mail.conf
@@ -50,7 +50,7 @@ table inet filter {
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
         # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
+        tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept
 
         meta l4proto { tcp, udp } accept
         icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
diff --git a/etc/nftables/nftables-matrix.conf b/etc/nftables/nftables-matrix.conf
index fd58d09..de59567 100644
--- a/etc/nftables/nftables-matrix.conf
+++ b/etc/nftables/nftables-matrix.conf
@@ -38,7 +38,7 @@ table inet filter {
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
         # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept
 
         meta l4proto { tcp, udp } accept
         icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
diff --git a/etc/nftables/nftables-network.conf b/etc/nftables/nftables-network.conf
index dfc0d3d..52cb98e 100644
--- a/etc/nftables/nftables-network.conf
+++ b/etc/nftables/nftables-network.conf
@@ -46,7 +46,7 @@ table inet filter {
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
         # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
+        tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept
 
         udp dport 123 notrack accept
 
diff --git a/etc/nftables/nftables-ns1.conf b/etc/nftables/nftables-ns1.conf
index f801cf4..1fcc421 100644
--- a/etc/nftables/nftables-ns1.conf
+++ b/etc/nftables/nftables-ns1.conf
@@ -54,7 +54,7 @@ table inet filter {
         tcp dport 22 ip6 daddr $ip6-anycast drop
 
         # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
+        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept
 
         meta l4proto { tcp, udp } accept
         icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
diff --git a/etc/nftables/nftables-ns2.conf b/etc/nftables/nftables-ns2.conf
index 8ef6a59..93b944b 100644
--- a/etc/nftables/nftables-ns2.conf
+++ b/etc/nftables/nftables-ns2.conf
@@ -52,7 +52,7 @@ table inet filter {
         tcp dport 22 ip daddr $ip-anycast drop
 
         # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
+        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept
 
         meta l4proto { tcp, udp } accept
         icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
diff --git a/etc/nftables/nftables-social.conf b/etc/nftables/nftables-social.conf
index 5418eec..8f9e599 100644
--- a/etc/nftables/nftables-social.conf
+++ b/etc/nftables/nftables-social.conf
@@ -38,7 +38,7 @@ table inet filter {
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
         # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept
 
         meta l4proto { tcp, udp } accept
         icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
diff --git a/etc/nftables/nftables-web.conf b/etc/nftables/nftables-web.conf
index b7c6a02..be49118 100644
--- a/etc/nftables/nftables-web.conf
+++ b/etc/nftables/nftables-web.conf
@@ -48,7 +48,7 @@ table inet filter {
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
         # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept
 
         meta l4proto { tcp, udp } accept
         icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept