NetBSD Problem Report #58566
From www@netbsd.org Sat Aug 10 12:46:16 2024
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits)
client-signature RSA-PSS (2048 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 61D251A9241
for <gnats-bugs@gnats.NetBSD.org>; Sat, 10 Aug 2024 12:46:16 +0000 (UTC)
Message-Id: <20240810124614.BBA871A9242@mollari.NetBSD.org>
Date: Sat, 10 Aug 2024 12:46:14 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: inetd spawn limits deny service unnecessarily aggressively
X-Send-Pr-Version: www-1.0
>Number: 58566
>Category: bin
>Synopsis: inetd spawn limits deny service unnecessarily aggressively
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Aug 10 12:50:00 +0000 2024
>Closed-Date: Thu Jun 04 10:42:13 +0000 2026
>Last-Modified: Thu Jun 04 10:42:13 +0000 2026
>Originator: Taylor R Campbell
>Release: current, 10
>Organization:
The InetBSD Connectiontimedoutation
>Environment:
>Description:
In inetd.conf you can request a spawn limit, like:
http stream tcp nowait:600 _httpd /usr/libexec/httpd httpd /var/www
This is documented to limit the maximum number of server instances that may be spawned per minute. But it goes farther than that:
The wait/nowait entry is used to tell inetd if it should wait for the
server program to return, or continue processing connections on the
socket. [...] The optional "max" suffix
(separated from "wait" or "nowait" by a dot or a colon) specifies the
maximum number of server instances that may be spawned from inetd within
an interval of 60 seconds. When omitted, "max" defaults to 40. If it
reaches this maximum spawn rate, inetd will log the problem (via the
syslogger using the LOG_DAEMON facility and LOG_ERR level) and stop
handling the specific service for ten minutes.
This means making 601 connections in one minute renders the service inaccessible for ten minutes!
>How-To-Repeat:
download too many packages from ftp.netbsd.org, or browse too many files in the source tree published there
>Fix:
Yes, please!
Instead of cutting off the service for ten minutes, inetd should probably use a token bucket rate limiter so that within any minute, it only serves 600 connections and delays the 601st, but in the next minute serves that one and continues.
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Thu, 04 Jun 2026 10:42:13 +0000
State-Changed-Why:
Apparently I forgot about this one when I filed
PR bin/59645: inetd `rate-limiting' algorithm is stupid
https://gnats.netbsd.org/59645
which is now where the activity has happened, so let's close this
duplicate even though it's older.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.49 2026/05/14 01:52:41 riastradh Exp $
$NetBSD: gnats_config.sh,v 1.10 2026/05/13 22:00:09 riastradh Exp $
Copyright © 1994-2026
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home