NetBSD Problem Report #58566
From www@netbsd.org Sat Aug 10 12:46:16 2024
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits)
client-signature RSA-PSS (2048 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 61D251A9241
for <gnats-bugs@gnats.NetBSD.org>; Sat, 10 Aug 2024 12:46:16 +0000 (UTC)
Message-Id: <20240810124614.BBA871A9242@mollari.NetBSD.org>
Date: Sat, 10 Aug 2024 12:46:14 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: inetd spawn limits deny service unnecessarily aggressively
X-Send-Pr-Version: www-1.0
>Number: 58566
>Category: bin
>Synopsis: inetd spawn limits deny service unnecessarily aggressively
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Aug 10 12:50:00 +0000 2024
>Originator: Taylor R Campbell
>Release: current, 10
>Organization:
The InetBSD Connectiontimedoutation
>Environment:
>Description:
In inetd.conf you can request a spawn limit, like:
http stream tcp nowait:600 _httpd /usr/libexec/httpd httpd /var/www
This is documented to limit the maximum number of server instances that may be spawned per minute. But it goes farther than that:
The wait/nowait entry is used to tell inetd if it should wait for the
server program to return, or continue processing connections on the
socket. [...] The optional "max" suffix
(separated from "wait" or "nowait" by a dot or a colon) specifies the
maximum number of server instances that may be spawned from inetd within
an interval of 60 seconds. When omitted, "max" defaults to 40. If it
reaches this maximum spawn rate, inetd will log the problem (via the
syslogger using the LOG_DAEMON facility and LOG_ERR level) and stop
handling the specific service for ten minutes.
This means making 601 connections in one minute renders the service inaccessible for ten minutes!
>How-To-Repeat:
download too many packages from ftp.netbsd.org, or browse too many files in the source tree published there
>Fix:
Yes, please!
Instead of cutting off the service for ten minutes, inetd should probably use a token bucket rate limiter so that within any minute, it only serves 600 connections and delays the 601st, but in the next minute serves that one and continues.
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.