NetBSD Problem Report #59645

From www@netbsd.org  Tue Sep  9 00:26:18 2025
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits)
	 client-signature RSA-PSS (2048 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 802DC1A923C
	for <gnats-bugs@gnats.NetBSD.org>; Tue,  9 Sep 2025 00:26:18 +0000 (UTC)
Message-Id: <20250909002617.480521A923D@mollari.NetBSD.org>
Date: Tue,  9 Sep 2025 00:26:17 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: inetd `rate-limiting' algorithm is stupid
X-Send-Pr-Version: www-1.0

>Number:         59645
>Category:       bin
>Synopsis:       inetd `rate-limiting' algorithm is stupid
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Sep 09 00:30:00 +0000 2025
>Originator:     Taylor R Campbell
>Release:        current, 11, 10, 9, ...
>Organization:
The InetBSDon't Foundation
>Environment:
>Description:

	If an inetd service is configured with a rate limit, say

		http		stream	tcp	nowait:600	_httpd	/usr/libexec/httpd	httpd /var/www

	and there are more than 600 connections in 1min, then inetd
	will go catatonic for 10min and stop accepting connections
	altogether---even if that means it is completely idle.

	This is absurd, and it's causing our CDN origin ftp.n.o to fall
	over repeatedly because as soon as it comes back up there's a
	burst of pent-up requests from the CDN caches which make it go
	catatonic again.

	We should be able to just set a maximum number of connections
	at any given time, particularly in nowait (fork-per-connection)
	mode.  If there are that many children still pending, inetd
	should just decline to fork new ones until one of them
	completes.


>How-To-Repeat:

	1. Configure inetd with a `rate limit' (really, a tantrum
	   threshold).

	2. Exceed that number of connections in 1min without actually
	   putting serious load on the server.

	3. Observe that inetd has gone catatonic.


>Fix:

	Change the meaning of the notation, or add new notation, to
	just limit the number of connections at any given time (and
	maybe set a timeout on each one).
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2025 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.