Message ID | 20181214120332.5372-1-ummeegge@ipfire.org |
---|---|
State | Dropped |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 2E95F8ABD87 for <patchwork@web07.i.ipfire.org>; Fri, 14 Dec 2018 12:03:43 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 4AB23201ABE9; Fri, 14 Dec 2018 12:03:42 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1544789022; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references:list-id: list-unsubscribe:list-subscribe:list-post; bh=aZBvFnG14sxqyHXjqT+f0u/efLcmcd51gNBQoK9+FLw=; b=TxAs3Lj5KtLLEunPIy8ysT6U2gzdOTweSMukNWsnJ5D0HOjB3JXBSd9QkgMBZ1f0umg6/8 /Vkp9FM7MioR5j1aa14c8YiLOP+k0cEh7pe1zNDEYp/HadxBkQOrQXf3wTGGtq+y4bIdUy BAl860sHKW33MOPCKTAjWUMKc3zRyBZg7+Fa13T8lnYE48T46nywtVR6safxOWcPN1yhYR oONHdEjvscSOdrnzkWS26L92lnDq4mxsLAnBIIDxifnfUqWnKq4A7157QRIn47bKXNqIlt 7CKkfx/AC6+kOKfrbkylAl9WdLBD8EegVk3Ulio0EoRfYyxddj55idc9T50Y1g== Received: from ipfire-server.local (i59F4D7FE.versanet.de [89.244.215.254]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 902702025E1E; Fri, 14 Dec 2018 12:03:39 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1544789019; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=aZBvFnG14sxqyHXjqT+f0u/efLcmcd51gNBQoK9+FLw=; b=Xwgr1yybj5Iw6kF5s8OpepWz4FfhAzB7y71mNGkWVcql6qQytATOY3pxjLvy+wc1DMs3w9 cynLZ5ozLHSlmiHIf8xfGmUtZAjCEJF1j4Fou6j32kxBblp6qo6NmEKX/xJRvgwSZj90v2 esNX/wpGZyrUNTCMG61NMauWSKPZ46iveJ9CXul9uE0ohMjgIsFcdUd32g8S28XUYxckDO sc1nrR9RLiNQccFkaCpRFBQwpz0yHEv+PoQ0vWxKU5sp5jKTAaTnuOhWUUfzJeL9FiGVit jDJbP/aih+5Bt7MgFNf65o0KuC3zeEoQwoj/3vzzDzaoqSg1e7wLonv3pvL2Hw== From: "erik.kapfer" <ummeegge@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] sysctl.conf: Enable TFO in sysctl Date: Fri, 14 Dec 2018 13:03:32 +0100 Message-Id: <20181214120332.5372-1-ummeegge@ipfire.org> X-Mailer: git-send-email 2.12.2 Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ummeegge smtp.mailfrom=ummeegge@ipfire.org X-Spamd-Result: default: False [-2.10 / 11.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DKIM_SIGNED(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:8881, ipnet:89.244.208.0/20, country:DE]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%] X-Spam-Status: No, score=-2.10 X-Rspamd-Server: mail01.i.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <https://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
sysctl.conf: Enable TFO in sysctl
|
|
Commit Message
ummeegge
Dec. 14, 2018, 11:03 p.m. UTC
Fixes #11945
This do not enables TFO support in general there is still the execution of
echo 3 > /proc/sys/net/ipv4/tcp_fastopen
needed after every reboot (rc.local e.g.).
For further information see:
https://tools.ietf.org/html/rfc7413#section-4.2.2
https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
Signed-off-by: erik.kapfer <ummeegge@ipfire.org>
---
config/etc/sysctl.conf | 1 +
1 file changed, 1 insertion(+)
Comments
Hi, > On 14 Dec 2018, at 12:03, erik.kapfer <ummeegge@ipfire.org> wrote: > > Fixes #11945 > > This do not enables TFO support in general there is still the execution of > echo 3 > /proc/sys/net/ipv4/tcp_fastopen > needed after every reboot (rc.local e.g.). > Why does this not enable it? Setting that value to 3 is what the sysctl command does. I am confused. > For further information see: > https://tools.ietf.org/html/rfc7413#section-4.2.2 > https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt > > Signed-off-by: erik.kapfer <ummeegge@ipfire.org> > --- > config/etc/sysctl.conf | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf > index 4066af767..52b21efa4 100644 > --- a/config/etc/sysctl.conf > +++ b/config/etc/sysctl.conf > @@ -13,6 +13,7 @@ net.ipv4.tcp_syncookies = 1 > net.ipv4.tcp_fin_timeout = 30 > net.ipv4.tcp_syn_retries = 3 > net.ipv4.tcp_synack_retries = 3 > +net.ipv4.tcp_fastopen = 3 > > net.ipv4.conf.default.arp_filter = 1 > net.ipv4.conf.default.rp_filter = 0 > -- > 2.12.2 >
Hi Michael, Am Freitag, den 14.12.2018, 14:59 +0000 schrieb Michael Tremer: > Hi, > > > On 14 Dec 2018, at 12:03, erik.kapfer <ummeegge@ipfire.org> wrote: > > > > Fixes #11945 > > > > This do not enables TFO support in general there is still the > > execution of > > echo 3 > /proc/sys/net/ipv4/tcp_fastopen > > needed after every reboot (rc.local e.g.). > > > > Why does this not enable it? Setting that value to 3 is what the > sysctl command does. > > I am confused. you are right, mixed there testings up but used also old descriptions. There is no need to echo '3' to tcp_fastopen to survive reboots. Should i amend the patch and correct the commit message ? Did now some tests with OpenSSL-1.1.1a whereby unbound includes the TFO configure options and DoT seems *really* much faster then DoT on another system without TFO support for unbound and OpenSSL-1.1.0i but am currently not able to find some TFO usage evidence except the TFO key $ cat /proc/sys/net/ipv4/tcp_fastopen_key 750532b8-36e6eb1d-800cb58e-3008f1f1 Monitoring examples like in here --> https://blog.wasin.io/blog/2016/12/26/how-to-enable-fast-tcp-open-on-ubuntu.html didnĀ“t deliver any results but they are also old (echo 3 > /proc/sys/net/ipv4/tcp_fastopen) is in this description also included which is outdated, possibly the monitoring examples are too. Best, Erik
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index 4066af767..52b21efa4 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -13,6 +13,7 @@ net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_fin_timeout = 30 net.ipv4.tcp_syn_retries = 3 net.ipv4.tcp_synack_retries = 3 +net.ipv4.tcp_fastopen = 3 net.ipv4.conf.default.arp_filter = 1 net.ipv4.conf.default.rp_filter = 0