NetBSD Problem Report #59645
From www@netbsd.org Tue Sep 9 00:26:18 2025
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits)
client-signature RSA-PSS (2048 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 802DC1A923C
for <gnats-bugs@gnats.NetBSD.org>; Tue, 9 Sep 2025 00:26:18 +0000 (UTC)
Message-Id: <20250909002617.480521A923D@mollari.NetBSD.org>
Date: Tue, 9 Sep 2025 00:26:17 +0000 (UTC)
From: campbell+netbsd@mumble.net
Reply-To: campbell+netbsd@mumble.net
To: gnats-bugs@NetBSD.org
Subject: inetd `rate-limiting' algorithm is stupid
X-Send-Pr-Version: www-1.0
>Number: 59645
>Category: bin
>Synopsis: inetd `rate-limiting' algorithm is stupid
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Sep 09 00:30:00 +0000 2025
>Last-Modified: Thu Jun 04 10:45:01 +0000 2026
>Originator: Taylor R Campbell
>Release: current, 11, 10, 9, ...
>Organization:
The InetBSDon't Foundation
>Environment:
>Description:
If an inetd service is configured with a rate limit, say
http stream tcp nowait:600 _httpd /usr/libexec/httpd httpd /var/www
and there are more than 600 connections in 1min, then inetd
will go catatonic for 10min and stop accepting connections
altogether---even if that means it is completely idle.
This is absurd, and it's causing our CDN origin ftp.n.o to fall
over repeatedly because as soon as it comes back up there's a
burst of pent-up requests from the CDN caches which make it go
catatonic again.
We should be able to just set a maximum number of connections
at any given time, particularly in nowait (fork-per-connection)
mode. If there are that many children still pending, inetd
should just decline to fork new ones until one of them
completes.
>How-To-Repeat:
1. Configure inetd with a `rate limit' (really, a tantrum
threshold).
2. Exceed that number of connections in 1min without actually
putting serious load on the server.
3. Observe that inetd has gone catatonic.
>Fix:
Change the meaning of the notation, or add new notation, to
just limit the number of connections at any given time (and
maybe set a timeout on each one).
>Audit-Trail:
From: Taylor R Campbell <riastradh@NetBSD.org>
To: gnats-bugs@NetBSD.org, netbsd-bugs@NetBSD.org
Cc: Michael van Elst <mlelstv@NetBSD.org>
Subject: Re: bin/59645: inetd `rate-limiting' algorithm is stupid
Date: Fri, 13 Feb 2026 03:32:45 +0000
Looks like a couple months ago mlelstv implemented a concurrency limit
like I suggested. It would be really nice if this had some tests and
pullup-11 so we can put an end to the stupid self-inflicted catatonia
in TNF's own deployments of inetd(8) for public- or CDN-facing
services.
Module Name: src
Committed By: mlelstv
Date: Sat Dec 27 08:06:38 UTC 2025
Modified Files:
src/usr.sbin/inetd: inetd.8 inetd.c inetd.h parse.c parse_v2.c
Log Message:
Add an optional accept limit to stream/nowait services.
Old syntax:
socket-type[,accept-max][:accept-filter]
New syntax adds the option:
accept_max Equivalent to accept-max in positional notation.
accept_max is a positive integer. inetd will stop accepting new
connections for a service, when the number of running and
waited for instances reaches that number. Further connection
attempts will be queued by the kernel and eventually time
out.
The limit acts in parallel to the wait maximum (default 40). If
you want more than 40 instances being spawned, you also need to
adjust the wait maximum to a higher value.
To generate a diff of this commit:
cvs rdiff -u -r1.68 -r1.69 src/usr.sbin/inetd/inetd.8
cvs rdiff -u -r1.141 -r1.142 src/usr.sbin/inetd/inetd.c
cvs rdiff -u -r1.7 -r1.8 src/usr.sbin/inetd/inetd.h \
src/usr.sbin/inetd/parse_v2.c
cvs rdiff -u -r1.5 -r1.6 src/usr.sbin/inetd/parse.c
https://mail-index.netbsd.org/source-changes/2025/12/27/msg159755.html
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59645 CVS commit: src
Date: Sun, 17 May 2026 00:39:45 +0000
Module Name: src
Committed By: riastradh
Date: Sun May 17 00:39:45 UTC 2026
Modified Files:
src/distrib/sets/lists/tests: mi
src/tests/usr.sbin/inetd: Makefile
Added Files:
src/tests/usr.sbin/inetd: t_accept_max.sh
Log Message:
inetd(8): Add a test case for accept-max.
PR bin/59645: inetd `rate-limiting' algorithm is stupid
To generate a diff of this commit:
cvs rdiff -u -r1.1417 -r1.1418 src/distrib/sets/lists/tests/mi
cvs rdiff -u -r1.2 -r1.3 src/tests/usr.sbin/inetd/Makefile
cvs rdiff -u -r0 -r1.1 src/tests/usr.sbin/inetd/t_accept_max.sh
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59645 CVS commit: src/tests/usr.sbin/inetd
Date: Sun, 17 May 2026 01:31:55 +0000
Module Name: src
Committed By: riastradh
Date: Sun May 17 01:31:55 UTC 2026
Modified Files:
src/tests/usr.sbin/inetd: t_accept_max.sh
Log Message:
inetd(8): Fix some tyupos in previous.
PR bin/59645: inetd `rate-limiting' algorithm is stupid
To generate a diff of this commit:
cvs rdiff -u -r1.1 -r1.2 src/tests/usr.sbin/inetd/t_accept_max.sh
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59645 CVS commit: [netbsd-11] src
Date: Mon, 18 May 2026 16:58:49 +0000
Module Name: src
Committed By: martin
Date: Mon May 18 16:58:49 UTC 2026
Modified Files:
src/distrib/sets/lists/tests [netbsd-11]: mi
src/tests/usr.sbin/inetd [netbsd-11]: Makefile
src/usr.sbin/inetd [netbsd-11]: inetd.8 inetd.c inetd.h parse.c
parse_v2.c
Added Files:
src/tests/usr.sbin/inetd [netbsd-11]: t_accept_max.sh
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #290):
usr.sbin/inetd/inetd.h: revision 1.7
usr.sbin/inetd/inetd.h: revision 1.8
usr.sbin/inetd/inetd.c: revision 1.142
tests/usr.sbin/inetd/Makefile: revision 1.3
usr.sbin/inetd/parse_v2.c: revision 1.8
usr.sbin/inetd/inetd.8: revision 1.69
tests/usr.sbin/inetd/t_accept_max.sh: revision 1.1
tests/usr.sbin/inetd/t_accept_max.sh: revision 1.2
distrib/sets/lists/tests/mi: revision 1.1418
usr.sbin/inetd/parse.c: revision 1.6
(all via patch)
Fix various typos in comments.
Add an optional accept limit to stream/nowait services.
Old syntax:
socket-type[,accept-max][:accept-filter]
New syntax adds the option:
accept_max Equivalent to accept-max in positional notation.
accept_max is a positive integer. inetd will stop accepting new
connections for a service, when the number of running and
waited for instances reaches that number. Further connection
attempts will be queued by the kernel and eventually time
out.
The limit acts in parallel to the wait maximum (default 40). If
you want more than 40 instances being spawned, you also need to
adjust the wait maximum to a higher value.
inetd(8): Add a test case for accept-max.
PR bin/59645: inetd `rate-limiting' algorithm is stupid
inetd(8): Fix some tyupos in previous.
PR bin/59645: inetd `rate-limiting' algorithm is stupid
To generate a diff of this commit:
cvs rdiff -u -r1.1387.2.6 -r1.1387.2.7 src/distrib/sets/lists/tests/mi
cvs rdiff -u -r1.2 -r1.2.6.1 src/tests/usr.sbin/inetd/Makefile
cvs rdiff -u -r0 -r1.2.2.2 src/tests/usr.sbin/inetd/t_accept_max.sh
cvs rdiff -u -r1.68 -r1.68.4.1 src/usr.sbin/inetd/inetd.8
cvs rdiff -u -r1.141 -r1.141.6.1 src/usr.sbin/inetd/inetd.c
cvs rdiff -u -r1.6 -r1.6.6.1 src/usr.sbin/inetd/inetd.h
cvs rdiff -u -r1.5 -r1.5.6.1 src/usr.sbin/inetd/parse.c
cvs rdiff -u -r1.7 -r1.7.4.1 src/usr.sbin/inetd/parse_v2.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59645 CVS commit: src/usr.sbin/inetd
Date: Thu, 4 Jun 2026 10:41:15 +0000
Module Name: src
Committed By: riastradh
Date: Thu Jun 4 10:41:15 UTC 2026
Modified Files:
src/usr.sbin/inetd: inetd.c
Log Message:
inetd(8): Fix spacing in messages about accept_max suspend/resume.
PR bin/59645: inetd `rate-limiting' algorithm is stupid
To generate a diff of this commit:
cvs rdiff -u -r1.142 -r1.143 src/usr.sbin/inetd/inetd.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
(Contact us)
$NetBSD: query-full-pr,v 1.49 2026/05/14 01:52:41 riastradh Exp $
$NetBSD: gnats_config.sh,v 1.10 2026/05/13 22:00:09 riastradh Exp $
Copyright © 1994-2026
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home