nfqws2: reduce default retrans maxseq to 32768, adjust config

2026-03-13 22:03:09 +00:00 · 2025-12-12 23:28:37 +03:00
parent 053556fe2d
commit 7ce0b4a996
3 changed files with 9 additions and 7 deletions
--- a/config.default
+++ b/config.default
@@ -26,8 +26,10 @@ IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 # options for auto hostlist
+# NOTE : in order for these adjustment to work it's required to redirect enough starting packets
+# NOTE : set PKT_IN, PKT_OUT variables appropriately
 AUTOHOSTLIST_INCOMING_MAXSEQ=4096
-AUTOHOSTLIST_RETRANS_MAXSEQ=65536
+AUTOHOSTLIST_RETRANS_MAXSEQ=32768
 AUTOHOSTLIST_RETRANS_THRESHOLD=3
 AUTOHOSTLIST_FAIL_THRESHOLD=3
 AUTOHOSTLIST_FAIL_TIME=60
@@ -64,11 +66,10 @@ NFQWS2_PORTS_TCP=80,443
 NFQWS2_PORTS_UDP=443
 # PKT_OUT means connbytes dir original
 # PKT_IN means connbytes dir reply
-# this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
-NFQWS2_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
-NFQWS2_TCP_PKT_IN=3
-NFQWS2_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
-NFQWS2_UDP_PKT_IN=0
+NFQWS2_TCP_PKT_OUT=20
+NFQWS2_TCP_PKT_IN=10
+NFQWS2_UDP_PKT_OUT=5
+NFQWS2_UDP_PKT_IN=3
 # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 # typical example are plain HTTP keep alives