Hi, On Fri, Jun 10, 2016 at 12:21:33PM +0100, debbie10t wrote:
> > If the server pushes an item the client rejects then > > the client will just reconnect endlessly, completing a > > full reconnect to the server then restarting ! > > Thispractically constitutes a DDOS .. The logic used with reject is no different from what happens with many other failures. For example, try '--tls-verify /tmp' . For max effect use 2.3 so that the SIGUSR1 loop will wait only for 2 seconds between retries. Well, this is not a full connect, but does put some load on the server. Now suppose we only provide '--pull-filter ignore opt' which doesn't trigger SIGUSR1. Then try this: --pull-filter ignore ping --ping-restart 2 On Fri, Jun 10, 2016 at 8:54 AM, Gert Doering <g...@greenie.muc.de> wrote: > > "If you send me stuff that I find reject-worthy, you should be DoSed!!!" > > Seriously: I expect people to notice that their VPN isn't connecting, and > check the log, no? > > @Selva, Arne: can we make the reconnect logic somewhat smarter overall, > like > "if reconnecting to the same host, wait 30 seconds instead of 5"? This is possible, but the case for progressively increasing the restart pause is not very strong. Can we get some feedback from people who serve 1000's of users? Selva
