konevsa/haproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[MINOR] frontend: count denied TCP requests separately

Browse Source 
It's very disturbing to see the "denied req" counter increase without
any other session counter moving. In fact, we can't count a rejected
TCP connection as "denied req" as we have not yet instanciated any
session at all. Let's use a new counter for that.
This commit is contained in:
Willy Tarreau 2010-06-05 15:43:21 +02:00
parent 24dcaf3450
commit 2799e98a36
3 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
doc/configuration.txt
View File

@ -5225,8 +5225,10 @@ tcp-request reject [{if | unless} <condition>]
connection, which implies that the "tcp-request accept" statement will only
make sense when combined with another "tcp-request reject" statement.
Rejected connections are accounted in stats but are not logged. The reason is
that these rules should only be used to filter extremely high connection
Rejected connections do not even become a session, which is why they are
accounted separately for in the stats, as "denied connections". They are not
considered for the session rate-limit and are not logged either. The reason
is that these rules should only be used to filter extremely high connection
rates such as the ones encountered during a massive DDoS attack. Under these
conditions, the simple action of logging each event would make the system
collapse and would considerably lower the filtering capacity. If logging is

2
include/types/counters.h
View File

@ -40,6 +40,7 @@ struct pxcounters {
long long denied_req, denied_resp; /* blocked requests/responses because of security concerns */
long long failed_req; /* failed requests (eg: invalid or timeout) */
long long denied_conn; /* denied connection requests (tcp-req rules) */
union {
struct {
@ -63,6 +64,7 @@ struct licounters {
long long denied_req, denied_resp; /* blocked requests/responses because of security concerns */
long long failed_req; /* failed requests (eg: invalid or timeout) */
long long denied_conn; /* denied connection requests (tcp-req rules) */
};
struct srvcounters {

4
src/proto_tcp.c
View File

@ -731,9 +731,9 @@ int tcp_exec_req_rules(struct session *s)
if (ret) {
/* we have a matching rule. */
if (rule->action == TCP_ACT_REJECT) {
s->fe->counters.denied_req++;
s->fe->counters.denied_conn++;
if (s->listener->counters)
s->listener->counters->denied_req++;
s->listener->counters->denied_conn++;
if (!(s->flags & SN_ERR_MASK))
s->flags |= SN_ERR_PRXCOND;