From ba79d80b52d305194e807ba3c2b15fe4634cc03d Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Fri, 26 Apr 2024 16:30:49 -0400
Subject: [PATCH] raise burst value for synproxy threshold

---
 nftables/nftables-attestation.conf | 2 +-
 nftables/nftables-discuss.conf     | 2 +-
 nftables/nftables-mail.conf        | 2 +-
 nftables/nftables-matrix.conf      | 2 +-
 nftables/nftables-network.conf     | 2 +-
 nftables/nftables-ns1.conf         | 2 +-
 nftables/nftables-ns2.conf         | 2 +-
 nftables/nftables-social.conf      | 2 +-
 nftables/nftables-web.conf         | 2 +-
 9 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/nftables/nftables-attestation.conf b/nftables/nftables-attestation.conf
index bca3e57..0d6eecb 100644
--- a/nftables/nftables-attestation.conf
+++ b/nftables/nftables-attestation.conf
@@ -38,7 +38,7 @@ table inet filter {
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
         # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
 
         meta l4proto { tcp, udp } accept
         meta l4proto { icmp, ipv6-icmp } notrack accept
diff --git a/nftables/nftables-discuss.conf b/nftables/nftables-discuss.conf
index e939936..dbbaa95 100644
--- a/nftables/nftables-discuss.conf
+++ b/nftables/nftables-discuss.conf
@@ -38,7 +38,7 @@ table inet filter {
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
         # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
 
         meta l4proto { tcp, udp } accept
         meta l4proto { icmp, ipv6-icmp } notrack accept
diff --git a/nftables/nftables-mail.conf b/nftables/nftables-mail.conf
index e3ddc3d..250ae2d 100644
--- a/nftables/nftables-mail.conf
+++ b/nftables/nftables-mail.conf
@@ -50,7 +50,7 @@ table inet filter {
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
         # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
+        tcp dport { 22, 25, 80, 443, 465, 993 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
 
         meta l4proto { tcp, udp } accept
         meta l4proto { icmp, ipv6-icmp } notrack accept
diff --git a/nftables/nftables-matrix.conf b/nftables/nftables-matrix.conf
index b6028dd..08ee37c 100644
--- a/nftables/nftables-matrix.conf
+++ b/nftables/nftables-matrix.conf
@@ -38,7 +38,7 @@ table inet filter {
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
         # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
 
         meta l4proto { tcp, udp } accept
         meta l4proto { icmp, ipv6-icmp } notrack accept
diff --git a/nftables/nftables-network.conf b/nftables/nftables-network.conf
index a5b3d62..03e8b19 100644
--- a/nftables/nftables-network.conf
+++ b/nftables/nftables-network.conf
@@ -46,7 +46,7 @@ table inet filter {
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
         # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
+        tcp dport { 22, 80, 443, 7275 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
 
         udp dport 123 notrack accept
 
diff --git a/nftables/nftables-ns1.conf b/nftables/nftables-ns1.conf
index 96a1ab3..892f20c 100644
--- a/nftables/nftables-ns1.conf
+++ b/nftables/nftables-ns1.conf
@@ -40,7 +40,7 @@ table inet filter {
         udp dport 53 notrack accept
 
         # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
+        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
 
         meta l4proto { tcp, udp } accept
         meta l4proto { icmp, ipv6-icmp } notrack accept
diff --git a/nftables/nftables-ns2.conf b/nftables/nftables-ns2.conf
index ff0dc17..0d36a54 100644
--- a/nftables/nftables-ns2.conf
+++ b/nftables/nftables-ns2.conf
@@ -52,7 +52,7 @@ table inet filter {
         tcp dport 22 ip daddr $ip-anycast drop
 
         # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
+        tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
 
         meta l4proto { tcp, udp } accept
         meta l4proto { icmp, ipv6-icmp } notrack accept
diff --git a/nftables/nftables-social.conf b/nftables/nftables-social.conf
index 5a337c6..4c70f5b 100644
--- a/nftables/nftables-social.conf
+++ b/nftables/nftables-social.conf
@@ -38,7 +38,7 @@ table inet filter {
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
         # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
 
         meta l4proto { tcp, udp } accept
         meta l4proto { icmp, ipv6-icmp } notrack accept
diff --git a/nftables/nftables-web.conf b/nftables/nftables-web.conf
index a37e05b..2f33d53 100644
--- a/nftables/nftables-web.conf
+++ b/nftables/nftables-web.conf
@@ -48,7 +48,7 @@ table inet filter {
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
         # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
-        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept
+        tcp dport { 22, 80, 443 } tcp flags syn limit rate over 1024/second burst 1024 packets counter notrack accept
 
         meta l4proto { tcp, udp } accept
         meta l4proto { icmp, ipv6-icmp } notrack accept