netoptimizer / network-testing Goto Github PK

The recvfrom test in udp_sink is probably identical to recv, because as it doesn't request the source address.

Based on discussion:
https://lore.kernel.org/netdev/[email protected]

From: Jesper Dangaard Brouer - Sent: 28 November 2019 11:12
...

Can you test recv() as well?

Sure: 9e3c8b86a2d662

$ sudo taskset -c 1 ./udp_sink --port 9  --count $((10**6*2))
           	run      count   	ns/pkt	pps		cycles	payload
recvMmsg/32  	run:  0	 2000000	653.29	1530704.29	2351	18	 demux:1
recvmsg   	run:  0	 2000000	631.01	1584760.06	2271	18	 demux:1
read      	run:  0	 2000000	582.24	1717518.16	2096	18	 demux:1
recvfrom  	run:  0	 2000000	547.26	1827269.12	1970	18	 demux:1
recv      	run:  0	 2000000	547.37	1826930.39	1970	18	 demux:1

I think it might be faster than read().

Slightly, but same speed as recvfrom.

From: David Laight [email protected]

I notice that you recvfrom() code doesn't request the source address.
So is probably identical to recv().

Hi Jesper!

I've found your article about DDoS mitigations using iptables and synproxy.
(http://people.netfilter.org/hawk/presentations/devconf2014/iptables-ddos-mitigation_JesperBrouer.pdf)

I've looked through it and have some questions:

1. If I set up my firewall box, I guess I need to replace all the "INPUT" statements with "FORWARD" ones?
2. Can I set up synproxy for all of the tcp traffic, not only for certain protocols/ports? Won't setting up the notrack rule for all syn packets in raw table affect NAT and other operation?
3. What is the difference between setting /proc/sys/net/ipv4/tcp_syncookies to "2" or to "1"? What is the recommended setting?
4. Can I place the "iptables -A FORWARD -m state --state INVALID -j DROP" under "RELATED,ESTABLISHED" rule? Will the original goal of not letting malicious traffic reach the listen socket be achieved in such a scenario?
5. Also if to talk about the "synproxy" rule and additional parameters in it "--sack-perm --timestamp --wscale 7 --mss 1460" what do they mean? Are these settings default for most seservers/applications? Won't setting this rule up affect services? And if it will, how can I figure out the exact params needed for every specific service?

Thanks in advance, it would be great help for me to learn how to correctly protect my network using my linux firewall :)