[pve-devel] [PATCH pve-firewall 0/2] Fix #2450: synflood protection

[Wolfgang Bumiller]

applied, thanks

On Tue, Nov 12, 2019 at 01:59:02PM +0100, Alexandre Derumier wrote:
> Currently, a virtio-net + vhost-net can handle between 200-300 kpps for each vm (with 1core/queue=1).
> That mean than a vm can easily overloaded with a simple synflood (hping3 --flood -p 80 -S targetip).
> Also the conntrack of the host can be saturated easily.
> 
> This patch introduce a new option, enable rate limiting of syn/s by src ip (protection_synflood:1).
> 
> rate limit can be set with : protection_synflood_rate  (default 200 syn/s)
> with an extra burst: protection_synflood_rate (default 1000).
> 
> It's also possible to reduce conntrack syn timeout: nf_conntrack_tcp_timeout_syn_recv (default 60).
> 
> with default values, a src ip can take around (60 * 200 = 12000 conntrack entries).
> 
> The iptables rules are done in raw table, before reaching the conntrack.
> 
> This protection works fine for non-spoofed src ip.
> For spoofed src ip, the only way could be to implement SYNPROXY,
> but this only works for routed/nat setup. (The host need to be able to reply
> with the src ip the vm) and need https://bugzilla.proxmox.com/show_bug.cgi?id=2451
> 
> Some good information about synflood protections
> https://2014.rmll.info/slides/356/day_1-1400-Jesper_Brouer-DDoS_protection_using_Netfilter_iptables.pdf
> 
> 
> Alexandre Derumier (2):
>   iptables : add raw table support
>   add synflood protection
> 
>  src/PVE/Firewall.pm             | 180 +++++++++++++++++++++++++++-----
>  src/PVE/Service/pve_firewall.pm |  27 +++--
>  test/fwtester.pl                |  10 +-
>  3 files changed, 175 insertions(+), 42 deletions(-)
> 
> -- 
> 2.20.1