From 7ce0b4a996320474c83ac603a864628e749b6b8a Mon Sep 17 00:00:00 2001
From: bol-van <none@none.none>
Date: Fri, 12 Dec 2025 23:28:37 +0300
Subject: [PATCH] nfqws2: reduce default retrans maxseq to 32768, adjust config

---
 config.default   | 13 +++++++------
 docs/changes.txt |  1 +
 nfq2/params.h    |  2 +-
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/config.default b/config.default
index 8371dfa..dd825d0 100644
--- a/config.default
+++ b/config.default
@@ -26,8 +26,10 @@ IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 # options for auto hostlist
+# NOTE : in order for these adjustment to work it's required to redirect enough starting packets
+# NOTE : set PKT_IN, PKT_OUT variables appropriately
 AUTOHOSTLIST_INCOMING_MAXSEQ=4096
-AUTOHOSTLIST_RETRANS_MAXSEQ=65536
+AUTOHOSTLIST_RETRANS_MAXSEQ=32768
 AUTOHOSTLIST_RETRANS_THRESHOLD=3
 AUTOHOSTLIST_FAIL_THRESHOLD=3
 AUTOHOSTLIST_FAIL_TIME=60
@@ -64,11 +66,10 @@ NFQWS2_PORTS_TCP=80,443
 NFQWS2_PORTS_UDP=443
 # PKT_OUT means connbytes dir original
 # PKT_IN means connbytes dir reply
-# this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
-NFQWS2_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
-NFQWS2_TCP_PKT_IN=3
-NFQWS2_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
-NFQWS2_UDP_PKT_IN=0
+NFQWS2_TCP_PKT_OUT=20
+NFQWS2_TCP_PKT_IN=10
+NFQWS2_UDP_PKT_OUT=5
+NFQWS2_UDP_PKT_IN=3
 # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 # typical example are plain HTTP keep alives
diff --git a/docs/changes.txt b/docs/changes.txt
index 13518d8..53dc0b5 100644
--- a/docs/changes.txt
+++ b/docs/changes.txt
@@ -97,3 +97,4 @@ v0.7.1
 * nfqws2: cancel reasm if server window size is smaller than expected reasm size
 * nfqws2: add EOL at the end of truncated buffered DLOG line if it's too large. increase log line buffer
 * nfqws2: autohostlist reset fail counter if udp_in > threshold
+* nfqws2: reduced default retrans maxseq to 32768
diff --git a/nfq2/params.h b/nfq2/params.h
index 0e158d8..0a742f4 100644
--- a/nfq2/params.h
+++ b/nfq2/params.h
@@ -30,7 +30,7 @@
 #define HOSTLIST_AUTO_FAIL_THRESHOLD_DEFAULT	3
 #define	HOSTLIST_AUTO_FAIL_TIME_DEFAULT 	60
 #define	HOSTLIST_AUTO_RETRANS_THRESHOLD_DEFAULT	3
-#define HOSTLIST_AUTO_RETRANS_MAXSEQ		65536
+#define HOSTLIST_AUTO_RETRANS_MAXSEQ		32768
 #define HOSTLIST_AUTO_INCOMING_MAXSEQ		4096
 #define HOSTLIST_AUTO_UDP_OUT			4
 #define HOSTLIST_AUTO_UDP_IN			1