You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Marc Slemko <ma...@znep.com> on 1997/06/10 06:13:20 UTC
[PATCH] add ListenBacklog
It is bogus to hardcode the backlog passed to the listen(2) directive.
The easy way out would be a define in httpd.h, but I like adding a
directive. This is very useful (and I would have found it handy) in cases
where a server is being SYN flooded.
Most kernels include the unacked fake SYNs in the backlog, which means
that it can be necessary to boost it very high to avoid an artifically low
limit on the queue of incomplete connections. 512 is too low under many
kernels when under a full SYN attack, but boosting it to 2k or 4k can work
well; again, depending on the kernel.
Now, some systems don't put the SYNs in that queue (BSD/OS, I think; they
use a seperate minimal-state table for SYNs that isn't counted against the
backlog) but many do...
I also decided to change the 512 default to 511 for those broken linux
systems.
Global server variables are yuccky, but I think it is bogus to do this in
a per-server config. SendBufferSize and a number of others are, IMHO,
bogusly using per-server server_rec variables. Am I misunderstanding
something?
Oh, and there is a PR somewhere that mentions this too...
Index: htdocs/manual/mod/core.html
===================================================================
RCS file: /export/home/cvs/apache/htdocs/manual/mod/core.html,v
retrieving revision 1.57
diff -c -r1.57 core.html
*** core.html 1997/06/10 00:28:33 1.57
--- core.html 1997/06/10 03:55:52
***************
*** 43,48 ****
--- 43,49 ----
<li><A HREF="#keepalivetimeout">KeepAliveTimeout</A>
<li><A HREF="#limit"><Limit></A>
<li><A HREF="#listen">Listen</A>
+ <li><A HREF="#listenbacklog">ListenBacklog</A>
<li><A HREF="#location"><Location></A>
<li><A HREF="#maxclients">MaxClients</A>
<li><A HREF="#maxkeepaliverequests">MaxKeepAliveRequests</a>
***************
*** 657,662 ****
--- 658,676 ----
<strong>See Also:</strong>
<a href="../misc/known_bugs.html#listenbug">Known Bugs</a></p>
<hr>
+
+ <A NAME="listenbacklog"<H2>ListenBacklog</H2></A>
+ <strong>Syntax:</strong> ListenBacklog <em>backlog</em><br>
+ <strong>Default:</strong> <code>ListenBacklog 511</code><br>
+ <strong>Context:</strong> server config<br>
+ <strong>Status:</strong> Core<br>
+ <strong>Compatibility:</strong> ListenBacklog is only available in Apache
+ versions after 1.2.0.<p>
+
+ The maximum length of the queue of pending connections. Generally no
+ tuning is needed or desired, however on some systems it is desirable
+ to increase this when under a TCP SYN flood attack. See
+ the backlog parameter to the <code>listen(2)</code> system call.
<A name="limit"><h2><Limit> directive</h2></A>
<!--%plaintext <?INDEX {\tt Limit} section directive> -->
Index: htdocs/manual/mod/directives.html
===================================================================
RCS file: /export/home/cvs/apache/htdocs/manual/mod/directives.html,v
retrieving revision 1.20
diff -c -r1.20 directives.html
*** directives.html 1997/06/04 16:14:14 1.20
--- directives.html 1997/06/10 03:55:52
***************
*** 103,108 ****
--- 103,109 ----
<li><A HREF="mod_negotiation.html#languagepriority">LanguagePriority</A>
<li><A HREF="core.html#limit"><Limit></A>
<li><A HREF="core.html#listen">Listen</A>
+ <li><A HREF="core.html#listenbacklog">ListenBacklog</A>
<li><A HREF="mod_dld.html#loadfile">LoadFile</A>
<li><A HREF="mod_dld.html#loadmodule">LoadModule</A>
<li><A HREF="core.html#location"><Location></A>
Index: src/http_conf_globals.h
===================================================================
RCS file: /export/home/cvs/apache/src/http_conf_globals.h,v
retrieving revision 1.9
diff -c -r1.9 http_conf_globals.h
*** http_conf_globals.h 1997/01/01 18:10:16 1.9
--- http_conf_globals.h 1997/06/10 03:55:55
***************
*** 69,74 ****
--- 69,75 ----
extern int daemons_max_free;
extern int daemons_limit;
extern int suexec_enabled;
+ extern int listenbacklog;
extern char *pid_fname;
extern char *scoreboard_fname;
Index: src/http_config.c
===================================================================
RCS file: /export/home/cvs/apache/src/http_config.c,v
retrieving revision 1.49
diff -c -r1.49 http_config.c
*** http_config.c 1997/05/15 23:39:20 1.49
--- http_config.c 1997/06/10 03:55:57
***************
*** 1043,1048 ****
--- 1043,1049 ----
max_requests_per_child = DEFAULT_MAX_REQUESTS_PER_CHILD;
bind_address.s_addr = htonl(INADDR_ANY);
listeners = NULL;
+ listenbacklog = DEFAULT_LISTENBACKLOG;
}
server_rec *init_server_config(pool *p)
Index: src/http_core.c
===================================================================
RCS file: /export/home/cvs/apache/src/http_core.c,v
retrieving revision 1.82
diff -c -r1.82 http_core.c
*** http_core.c 1997/06/10 00:28:31 1.82
--- http_core.c 1997/06/10 03:56:00
***************
*** 1145,1150 ****
--- 1145,1161 ----
return NULL;
}
+ const char *set_listenbacklog (cmd_parms *cmd, void *dummy, char *arg) {
+ int b;
+
+ if (cmd->server->is_virtual)
+ return "ListenBacklog not allowed in <VirtualHost>";
+ b = atoi (arg);
+ if (b < 1) return "ListenBacklog must be > 0";
+ listenbacklog = b;
+ return NULL;
+ }
+
/* Note --- ErrorDocument will now work from .htaccess files.
* The AllowOverride of Fileinfo allows webmasters to turn it off
*/
***************
*** 1258,1263 ****
--- 1269,1275 ----
{ "AddModule", add_module_command, NULL, RSRC_CONF, ITERATE,
"the name of a module" },
{ "ClearModuleList", clear_module_list_command, NULL, RSRC_CONF, NO_ARGS, NULL },
+ { "ListenBacklog", set_listenbacklog, NULL, RSRC_CONF, TAKE1, "maximum length of the queue of pending connections, as used by listen(2)" },
{ NULL },
};
Index: src/http_main.c
===================================================================
RCS file: /export/home/cvs/apache/src/http_main.c,v
retrieving revision 1.149
diff -c -r1.149 http_main.c
*** http_main.c 1997/05/29 04:50:27 1.149
--- http_main.c 1997/06/10 03:56:06
***************
*** 147,152 ****
--- 147,153 ----
int daemons_limit;
time_t restart_time;
int suexec_enabled = 0;
+ int listenbacklog;
char server_root[MAX_STRING_LEN];
char server_confname[MAX_STRING_LEN];
***************
*** 2049,2055 ****
#ifdef MPE
if (ntohs(server->sin_port) < 1024) GETUSERMODE();
#endif
! listen(s, 512);
return s;
}
--- 2050,2056 ----
#ifdef MPE
if (ntohs(server->sin_port) < 1024) GETUSERMODE();
#endif
! listen(s, listenbacklog);
return s;
}
Index: src/httpd.h
===================================================================
RCS file: /export/home/cvs/apache/src/httpd.h,v
retrieving revision 1.112
diff -c -r1.112 httpd.h
*** httpd.h 1997/06/06 13:51:10 1.112
--- httpd.h 1997/06/10 03:56:08
***************
*** 237,242 ****
--- 237,254 ----
#define DEFAULT_MAX_REQUESTS_PER_CHILD 0
+ /* The maximum length of the queue of pending connections, as defined
+ * by listen(2). Under some systems, it should be increased if you
+ * are experiencing a heavy TCP SYN flood attack.
+ *
+ * It defaults to 511 instead of 512 because some systems store it
+ * as an 8-bit datatype; 512 truncated to 8-bits is 0, while 511 is
+ * 255 when truncated.
+ */
+
+ #define DEFAULT_LISTENBACKLOG 511
+
+
/* If you have altered Apache and wish to change the SERVER_VERSION
* identifier below, please keep to the HTTP specification. This states that
* the identification string should consist of product tokens with an optional
Re: [PATCH] add ListenBacklog
Posted by Marc Slemko <ma...@znep.com>.
Anyone else? A +1 from Jim is all I have so far...
For HEAD only.
On Mon, 9 Jun 1997, Marc Slemko wrote:
> It is bogus to hardcode the backlog passed to the listen(2) directive.
> The easy way out would be a define in httpd.h, but I like adding a
> directive. This is very useful (and I would have found it handy) in cases
> where a server is being SYN flooded.
>
> Most kernels include the unacked fake SYNs in the backlog, which means
> that it can be necessary to boost it very high to avoid an artifically low
> limit on the queue of incomplete connections. 512 is too low under many
> kernels when under a full SYN attack, but boosting it to 2k or 4k can work
> well; again, depending on the kernel.
>
> Now, some systems don't put the SYNs in that queue (BSD/OS, I think; they
> use a seperate minimal-state table for SYNs that isn't counted against the
> backlog) but many do...
>
> I also decided to change the 512 default to 511 for those broken linux
> systems.
>
> Global server variables are yuccky, but I think it is bogus to do this in
> a per-server config. SendBufferSize and a number of others are, IMHO,
> bogusly using per-server server_rec variables. Am I misunderstanding
> something?
>
> Oh, and there is a PR somewhere that mentions this too...
>
> Index: htdocs/manual/mod/core.html
> ===================================================================
> RCS file: /export/home/cvs/apache/htdocs/manual/mod/core.html,v
> retrieving revision 1.57
> diff -c -r1.57 core.html
> *** core.html 1997/06/10 00:28:33 1.57
> --- core.html 1997/06/10 03:55:52
> ***************
> *** 43,48 ****
> --- 43,49 ----
> <li><A HREF="#keepalivetimeout">KeepAliveTimeout</A>
> <li><A HREF="#limit"><Limit></A>
> <li><A HREF="#listen">Listen</A>
> + <li><A HREF="#listenbacklog">ListenBacklog</A>
> <li><A HREF="#location"><Location></A>
> <li><A HREF="#maxclients">MaxClients</A>
> <li><A HREF="#maxkeepaliverequests">MaxKeepAliveRequests</a>
> ***************
> *** 657,662 ****
> --- 658,676 ----
> <strong>See Also:</strong>
> <a href="../misc/known_bugs.html#listenbug">Known Bugs</a></p>
> <hr>
> +
> + <A NAME="listenbacklog"<H2>ListenBacklog</H2></A>
> + <strong>Syntax:</strong> ListenBacklog <em>backlog</em><br>
> + <strong>Default:</strong> <code>ListenBacklog 511</code><br>
> + <strong>Context:</strong> server config<br>
> + <strong>Status:</strong> Core<br>
> + <strong>Compatibility:</strong> ListenBacklog is only available in Apache
> + versions after 1.2.0.<p>
> +
> + The maximum length of the queue of pending connections. Generally no
> + tuning is needed or desired, however on some systems it is desirable
> + to increase this when under a TCP SYN flood attack. See
> + the backlog parameter to the <code>listen(2)</code> system call.
>
> <A name="limit"><h2><Limit> directive</h2></A>
> <!--%plaintext <?INDEX {\tt Limit} section directive> -->
> Index: htdocs/manual/mod/directives.html
> ===================================================================
> RCS file: /export/home/cvs/apache/htdocs/manual/mod/directives.html,v
> retrieving revision 1.20
> diff -c -r1.20 directives.html
> *** directives.html 1997/06/04 16:14:14 1.20
> --- directives.html 1997/06/10 03:55:52
> ***************
> *** 103,108 ****
> --- 103,109 ----
> <li><A HREF="mod_negotiation.html#languagepriority">LanguagePriority</A>
> <li><A HREF="core.html#limit"><Limit></A>
> <li><A HREF="core.html#listen">Listen</A>
> + <li><A HREF="core.html#listenbacklog">ListenBacklog</A>
> <li><A HREF="mod_dld.html#loadfile">LoadFile</A>
> <li><A HREF="mod_dld.html#loadmodule">LoadModule</A>
> <li><A HREF="core.html#location"><Location></A>
> Index: src/http_conf_globals.h
> ===================================================================
> RCS file: /export/home/cvs/apache/src/http_conf_globals.h,v
> retrieving revision 1.9
> diff -c -r1.9 http_conf_globals.h
> *** http_conf_globals.h 1997/01/01 18:10:16 1.9
> --- http_conf_globals.h 1997/06/10 03:55:55
> ***************
> *** 69,74 ****
> --- 69,75 ----
> extern int daemons_max_free;
> extern int daemons_limit;
> extern int suexec_enabled;
> + extern int listenbacklog;
>
> extern char *pid_fname;
> extern char *scoreboard_fname;
> Index: src/http_config.c
> ===================================================================
> RCS file: /export/home/cvs/apache/src/http_config.c,v
> retrieving revision 1.49
> diff -c -r1.49 http_config.c
> *** http_config.c 1997/05/15 23:39:20 1.49
> --- http_config.c 1997/06/10 03:55:57
> ***************
> *** 1043,1048 ****
> --- 1043,1049 ----
> max_requests_per_child = DEFAULT_MAX_REQUESTS_PER_CHILD;
> bind_address.s_addr = htonl(INADDR_ANY);
> listeners = NULL;
> + listenbacklog = DEFAULT_LISTENBACKLOG;
> }
>
> server_rec *init_server_config(pool *p)
> Index: src/http_core.c
> ===================================================================
> RCS file: /export/home/cvs/apache/src/http_core.c,v
> retrieving revision 1.82
> diff -c -r1.82 http_core.c
> *** http_core.c 1997/06/10 00:28:31 1.82
> --- http_core.c 1997/06/10 03:56:00
> ***************
> *** 1145,1150 ****
> --- 1145,1161 ----
> return NULL;
> }
>
> + const char *set_listenbacklog (cmd_parms *cmd, void *dummy, char *arg) {
> + int b;
> +
> + if (cmd->server->is_virtual)
> + return "ListenBacklog not allowed in <VirtualHost>";
> + b = atoi (arg);
> + if (b < 1) return "ListenBacklog must be > 0";
> + listenbacklog = b;
> + return NULL;
> + }
> +
> /* Note --- ErrorDocument will now work from .htaccess files.
> * The AllowOverride of Fileinfo allows webmasters to turn it off
> */
> ***************
> *** 1258,1263 ****
> --- 1269,1275 ----
> { "AddModule", add_module_command, NULL, RSRC_CONF, ITERATE,
> "the name of a module" },
> { "ClearModuleList", clear_module_list_command, NULL, RSRC_CONF, NO_ARGS, NULL },
> + { "ListenBacklog", set_listenbacklog, NULL, RSRC_CONF, TAKE1, "maximum length of the queue of pending connections, as used by listen(2)" },
> { NULL },
> };
>
> Index: src/http_main.c
> ===================================================================
> RCS file: /export/home/cvs/apache/src/http_main.c,v
> retrieving revision 1.149
> diff -c -r1.149 http_main.c
> *** http_main.c 1997/05/29 04:50:27 1.149
> --- http_main.c 1997/06/10 03:56:06
> ***************
> *** 147,152 ****
> --- 147,153 ----
> int daemons_limit;
> time_t restart_time;
> int suexec_enabled = 0;
> + int listenbacklog;
>
> char server_root[MAX_STRING_LEN];
> char server_confname[MAX_STRING_LEN];
> ***************
> *** 2049,2055 ****
> #ifdef MPE
> if (ntohs(server->sin_port) < 1024) GETUSERMODE();
> #endif
> ! listen(s, 512);
> return s;
> }
>
> --- 2050,2056 ----
> #ifdef MPE
> if (ntohs(server->sin_port) < 1024) GETUSERMODE();
> #endif
> ! listen(s, listenbacklog);
> return s;
> }
>
> Index: src/httpd.h
> ===================================================================
> RCS file: /export/home/cvs/apache/src/httpd.h,v
> retrieving revision 1.112
> diff -c -r1.112 httpd.h
> *** httpd.h 1997/06/06 13:51:10 1.112
> --- httpd.h 1997/06/10 03:56:08
> ***************
> *** 237,242 ****
> --- 237,254 ----
>
> #define DEFAULT_MAX_REQUESTS_PER_CHILD 0
>
> + /* The maximum length of the queue of pending connections, as defined
> + * by listen(2). Under some systems, it should be increased if you
> + * are experiencing a heavy TCP SYN flood attack.
> + *
> + * It defaults to 511 instead of 512 because some systems store it
> + * as an 8-bit datatype; 512 truncated to 8-bits is 0, while 511 is
> + * 255 when truncated.
> + */
> +
> + #define DEFAULT_LISTENBACKLOG 511
> +
> +
> /* If you have altered Apache and wish to change the SERVER_VERSION
> * identifier below, please keep to the HTTP specification. This states that
> * the identification string should consist of product tokens with an optional
>
Re: [PATCH] add ListenBacklog
Posted by Marc Slemko <ma...@worldgate.com>.
On Tue, 10 Jun 1997, Dean Gaudet wrote:
> On Mon, 9 Jun 1997, Marc Slemko wrote:
> > I also decided to change the 512 default to 511 for those broken linux
> > systems.
>
> I'm not convinced this is required... at least eyeballing the 2.0.30
> linux kernel code it doesn't seem to be. But I think last time I said
> that Aram said it's a library problem. Yuck. Linux won't go over 128
> anyhow, but I wrote a patch that lets it go over 128. I should try to
> get it into the mainstream.
It is an old version, I have actually seen a few people have the problem
and, when I had them change it to 511, it worked.
Hmm. Just did a search and found a patch you wrote two months ago where
you changed it from an unsigned char. And some old Linux kernel source
was warning of the problem...
It certainly isn't a problem with newer versions or there would be a lot
of trouble.
>
> > Oh, and there is a PR somewhere that mentions this too...
>
> PR#240, which actually includes a patch too.
Yup, but the patch is broken because it implements it as a per server
thing. OTOH, numerous existing things do that when they (IMHO)
shouldn't...
>
> +1 on your patch.
>
> Dean
>
Re: [PATCH] add ListenBacklog
Posted by Dean Gaudet <dg...@arctic.org>.
On Mon, 9 Jun 1997, Marc Slemko wrote:
> I also decided to change the 512 default to 511 for those broken linux
> systems.
I'm not convinced this is required... at least eyeballing the 2.0.30
linux kernel code it doesn't seem to be. But I think last time I said
that Aram said it's a library problem. Yuck. Linux won't go over 128
anyhow, but I wrote a patch that lets it go over 128. I should try to
get it into the mainstream.
> Oh, and there is a PR somewhere that mentions this too...
PR#240, which actually includes a patch too.
+1 on your patch.
Dean