scale synproxy threshold based on conntrack max

2025-07-21 06:03:11 -04:00 · 2025-06-22 22:06:29 -04:00 · 2025-06-22 22:06:29 -04:00 · 8b87654075
commit 8b87654075
parent bb797f412b
10 changed files with 12 additions and 10 deletions
--- a/4
+++ b/4
@ -58,7 +58,9 @@ sed -i "s/{{ssh_users}}/${hosts_ssh_users[$host]:-root}/g" etc/ssh/sshd_config.t
 rsync -cv etc/ssh/sshd_config.tmp $remote:/mnt/etc/ssh/sshd_config
 rm etc/ssh/sshd_config.tmp

-rsync -cv etc/nftables/nftables-${hosts_firewall[$host]:-web}.conf $remote:/mnt/etc/nftables.conf
+synproxy_threshold=$(( ${hosts_conntrack_size[$host]} / 64 ))
+sed "s/{{synproxy_threshold}}/$synproxy_threshold/g" etc/nftables/nftables-${hosts_firewall[$host]:-web}.conf >tmp
+rsync -cv tmp $remote:/mnt/etc/nftables.conf

 ssh $remote "arch-chroot /mnt systemctl enable chronyd.service fstrim.timer logrotate.timer nftables.service systemd-networkd.service systemd-oomd.service sshd.service sysstat.service unbound.service"
 ssh $remote "arch-chroot /mnt systemctl disable remote-fs.target systemd-network-generator.service systemd-userdbd.socket"
--- a/etc/nftables/nftables-attestation.conf
+++ b/etc/nftables/nftables-attestation.conf
@ -38,7 +38,7 @@ table inet filter {
        fib daddr . iif type != { local, broadcast, multicast } counter drop

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept

        meta l4proto { tcp, udp } accept
        icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
--- a/etc/nftables/nftables-discuss.conf
+++ b/etc/nftables/nftables-discuss.conf
@ -38,7 +38,7 @@ table inet filter {
        fib daddr . iif type != { local, broadcast, multicast } counter drop

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept

        meta l4proto { tcp, udp } accept
        icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
--- a/etc/nftables/nftables-mail.conf
+++ b/etc/nftables/nftables-mail.conf
@ -50,7 +50,7 @@ table inet filter {
        fib daddr . iif type != { local, broadcast, multicast } counter drop

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
+        tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept

        meta l4proto { tcp, udp } accept
        icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
--- a/etc/nftables/nftables-matrix.conf
+++ b/etc/nftables/nftables-matrix.conf
@ -38,7 +38,7 @@ table inet filter {
        fib daddr . iif type != { local, broadcast, multicast } counter drop

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept

        meta l4proto { tcp, udp } accept
        icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
--- a/etc/nftables/nftables-network.conf
+++ b/etc/nftables/nftables-network.conf
@ -46,7 +46,7 @@ table inet filter {
        fib daddr . iif type != { local, broadcast, multicast } counter drop

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
+        tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept

        udp dport 123 notrack accept

--- a/etc/nftables/nftables-ns1.conf
+++ b/etc/nftables/nftables-ns1.conf
@ -54,7 +54,7 @@ table inet filter {
        tcp dport 22 ip6 daddr $ip6-anycast drop

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
+        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept

        meta l4proto { tcp, udp } accept
        icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
--- a/etc/nftables/nftables-ns2.conf
+++ b/etc/nftables/nftables-ns2.conf
@ -52,7 +52,7 @@ table inet filter {
        tcp dport 22 ip daddr $ip-anycast drop

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
+        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept

        meta l4proto { tcp, udp } accept
        icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
--- a/etc/nftables/nftables-social.conf
+++ b/etc/nftables/nftables-social.conf
@ -38,7 +38,7 @@ table inet filter {
        fib daddr . iif type != { local, broadcast, multicast } counter drop

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept

        meta l4proto { tcp, udp } accept
        icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
--- a/etc/nftables/nftables-web.conf
+++ b/etc/nftables/nftables-web.conf
@ -48,7 +48,7 @@ table inet filter {
        fib daddr . iif type != { local, broadcast, multicast } counter drop

        # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept

        meta l4proto { tcp, udp } accept
        icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept