Auto deploy from GitHub Actions build 465

[ab0daa5] iBug: gw-jp: Add sysctl net.nf_conntrack_max
ustclug · Sep 19, 2024 · 35261aa · 35261aa
1 parent 878ddda
commit 35261aa
Show file tree

Hide file tree

Showing 3 changed files with 59 additions and 3 deletions.
diff --git a/search/search_index.json b/search/search_index.json
diff --git a/services/gateway-jp/index.html b/services/gateway-jp/index.html
@@ -1934,12 +1934,36 @@
     <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
 
         <li class="md-nav__item">
+  <a href="#network-configuration" class="md-nav__link">
+    <span class="md-ellipsis">
+      Network configuration
+    </span>
+  </a>
+
+    <nav class="md-nav" aria-label="Network configuration">
+      <ul class="md-nav__list">
+
+          <li class="md-nav__item">
   <a href="#iptables" class="md-nav__link">
     <span class="md-ellipsis">
       iptables
     </span>
   </a>
 
+</li>
+
+          <li class="md-nav__item">
+  <a href="#sysctl" class="md-nav__link">
+    <span class="md-ellipsis">
+      sysctl
+    </span>
+  </a>
+
+</li>
+
+      </ul>
+    </nav>
+
 </li>
 
     </ul>
@@ -2539,12 +2563,36 @@
     <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
 
         <li class="md-nav__item">
+  <a href="#network-configuration" class="md-nav__link">
+    <span class="md-ellipsis">
+      Network configuration
+    </span>
+  </a>
+
+    <nav class="md-nav" aria-label="Network configuration">
+      <ul class="md-nav__list">
+
+          <li class="md-nav__item">
   <a href="#iptables" class="md-nav__link">
     <span class="md-ellipsis">
       iptables
     </span>
   </a>
 
+</li>
+
+          <li class="md-nav__item">
+  <a href="#sysctl" class="md-nav__link">
+    <span class="md-ellipsis">
+      sysctl
+    </span>
+  </a>
+
+</li>
+
+      </ul>
+    </nav>
+
 </li>
 
     </ul>
@@ -2569,9 +2617,17 @@ <h1 id="gateway-japan-gateway-jp">Gateway: Japan (<code>gateway-jp</code>)<a cla
 <div class="admonition info">
 <p class="admonition-title">This page is currently a stub.</p>
 </div>
-<h2 id="iptables">iptables<a class="headerlink" href="#iptables" title="Permanent link">&para;</a></h2>
+<h2 id="network-configuration">Network configuration<a class="headerlink" href="#network-configuration" title="Permanent link">&para;</a></h2>
+<h3 id="iptables">iptables<a class="headerlink" href="#iptables" title="Permanent link">&para;</a></h3>
 <p>See <a href="../gateway-nic/#iptables">Gateway NIC</a></p>
 <p>Blacklists are also managed with <code>ipset</code>, see <code>/root/iptables</code>.</p>
+<h3 id="sysctl">sysctl<a class="headerlink" href="#sysctl" title="Permanent link">&para;</a></h3>
+<p>When first applying iptables rules, we experienced severe performance degradation. Dmesg was flooded with messages like this:</p>
+<div class="highlight"><pre><span></span><code><a id="__codelineno-0-1" name="__codelineno-0-1" href="#__codelineno-0-1"></a>nf_conntrack: nf_conntrack: table full, dropping packet
+</code></pre></div>
+<p>So we increased this sysctl setting:</p>
+<div class="highlight"><span class="filename">/etc/sysctl.d/00-ustclug.conf</span><pre><span></span><code><a id="__codelineno-1-1" name="__codelineno-1-1" href="#__codelineno-1-1"></a>net.nf_conntrack_max<span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="m">262144</span>
+</code></pre></div>
 
 
 

diff --git a/services/gateway-nic/index.html b/services/gateway-nic/index.html
@@ -2995,7 +2995,7 @@ <h2 id="fail2ban">Fail2ban<a class="headerlink" href="#fail2ban" title="Permanen
 </code></pre></div>
 <h2 id="nginx">Nginx<a class="headerlink" href="#nginx" title="Permanent link">&para;</a></h2>
 <h3 id="unregistered-domain-traffic">ustclug.org issue<a class="headerlink" href="#unregistered-domain-traffic" title="Permanent link">&para;</a></h3>
-<p>To mitigate the issue of the complaints from ISPs and the regulation authorities caused by the gateways in USTCnet responding to the requests for <code>ustclug.org</code>, which is a unregistered domain in China MIIT, we make nginx listen on an alternative port 81/444 for HTTP and HTTPS respectively, to response to the requests for <code>lug.ustc.edu.cn</code> only, and rejecting the handshake for any other domain.</p>
+<p>To mitigate the issue of the complaints from ISPs and the regulation authorities caused by the gateways in USTCnet responding to the requests for <code>ustclug.org</code>, which is a unregistered domain in China MIIT, we make nginx listen on an alternative port 81/444 for HTTP and HTTPS respectively, to respond to requests for <code>lug.ustc.edu.cn</code> only, and rejecting the handshake for any other domain.</p>
 <div class="highlight"><span class="filename">/etc/nginx/sites-available/default</span><pre><span></span><code><a id="__codelineno-14-1" name="__codelineno-14-1" href="#__codelineno-14-1"></a>server {
 <a id="__codelineno-14-2" name="__codelineno-14-2" href="#__codelineno-14-2"></a>  listen 81 default_server;
 <a id="__codelineno-14-3" name="__codelineno-14-3" href="#__codelineno-14-3"></a>  listen [::]:81 default_server;