NetBSD Problem Report #59645

From www@netbsd.org  Tue Sep  9 00:26:18 2025
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits)
	 client-signature RSA-PSS (2048 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 802DC1A923C
	for <gnats-bugs@gnats.NetBSD.org>; Tue,  9 Sep 2025 00:26:18 +0000 (UTC)
Message-Id: <20250909002617.480521A923D@mollari.NetBSD.org>
Date: Tue,  9 Sep 2025 00:26:17 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: inetd `rate-limiting' algorithm is stupid
X-Send-Pr-Version: www-1.0

>Number:         59645
>Category:       bin
>Synopsis:       inetd `rate-limiting' algorithm is stupid
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Sep 09 00:30:00 +0000 2025
>Last-Modified:  Fri Feb 13 03:35:00 +0000 2026
>Originator:     Taylor R Campbell
>Release:        current, 11, 10, 9, ...
>Organization:
The InetBSDon't Foundation
>Environment:
>Description:

	If an inetd service is configured with a rate limit, say

		http		stream	tcp	nowait:600	_httpd	/usr/libexec/httpd	httpd /var/www

	and there are more than 600 connections in 1min, then inetd
	will go catatonic for 10min and stop accepting connections
	altogether---even if that means it is completely idle.

	This is absurd, and it's causing our CDN origin ftp.n.o to fall
	over repeatedly because as soon as it comes back up there's a
	burst of pent-up requests from the CDN caches which make it go
	catatonic again.

	We should be able to just set a maximum number of connections
	at any given time, particularly in nowait (fork-per-connection)
	mode.  If there are that many children still pending, inetd
	should just decline to fork new ones until one of them
	completes.


>How-To-Repeat:

	1. Configure inetd with a `rate limit' (really, a tantrum
	   threshold).

	2. Exceed that number of connections in 1min without actually
	   putting serious load on the server.

	3. Observe that inetd has gone catatonic.


>Fix:

	Change the meaning of the notation, or add new notation, to
	just limit the number of connections at any given time (and
	maybe set a timeout on each one).


>Audit-Trail:
From: Taylor R Campbell <riastradh@NetBSD.org>
To: gnats-bugs@NetBSD.org, netbsd-bugs@NetBSD.org
Cc: Michael van Elst <mlelstv@NetBSD.org>
Subject: Re: bin/59645: inetd `rate-limiting' algorithm is stupid
Date: Fri, 13 Feb 2026 03:32:45 +0000

 Looks like a couple months ago mlelstv implemented a concurrency limit
 like I suggested.  It would be really nice if this had some tests and
 pullup-11 so we can put an end to the stupid self-inflicted catatonia
 in TNF's own deployments of inetd(8) for public- or CDN-facing
 services.


 Module Name:    src
 Committed By:   mlelstv
 Date:           Sat Dec 27 08:06:38 UTC 2025

 Modified Files:
         src/usr.sbin/inetd: inetd.8 inetd.c inetd.h parse.c parse_v2.c

 Log Message:
 Add an optional accept limit to stream/nowait services.

 Old syntax:

            socket-type[,accept-max][:accept-filter]

 New syntax adds the option:

      accept_max    Equivalent to accept-max in positional notation.

 accept_max is a positive integer. inetd will stop accepting new
 connections for a service, when the number of running and
 waited for instances reaches that number. Further connection
 attempts will be queued by the kernel and eventually time
 out.

 The limit acts in parallel to the wait maximum (default 40). If
 you want more than 40 instances being spawned, you also need to
 adjust the wait maximum to a higher value.


 To generate a diff of this commit:
 cvs rdiff -u -r1.68 -r1.69 src/usr.sbin/inetd/inetd.8
 cvs rdiff -u -r1.141 -r1.142 src/usr.sbin/inetd/inetd.c
 cvs rdiff -u -r1.7 -r1.8 src/usr.sbin/inetd/inetd.h \
     src/usr.sbin/inetd/parse_v2.c
 cvs rdiff -u -r1.5 -r1.6 src/usr.sbin/inetd/parse.c

 https://mail-index.netbsd.org/source-changes/2025/12/27/msg159755.html
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.49 2026/05/14 01:52:41 riastradh Exp $
$NetBSD: gnats_config.sh,v 1.10 2026/05/13 22:00:09 riastradh Exp $
Copyright © 1994-2026 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.