From: Willy Tarreau Date: Sat, 5 Jun 2010 13:43:21 +0000 (+0200) Subject: [MINOR] frontend: count denied TCP requests separately X-Git-Tag: v1.5-dev8~572 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2799e98a368b2bbace57049267668fca5a6d1c42;p=thirdparty%2Fhaproxy.git [MINOR] frontend: count denied TCP requests separately It's very disturbing to see the "denied req" counter increase without any other session counter moving. In fact, we can't count a rejected TCP connection as "denied req" as we have not yet instanciated any session at all. Let's use a new counter for that. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index 7aa12a71a9..a9a5793b05 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -5225,8 +5225,10 @@ tcp-request reject [{if | unless} ] connection, which implies that the "tcp-request accept" statement will only make sense when combined with another "tcp-request reject" statement. - Rejected connections are accounted in stats but are not logged. The reason is - that these rules should only be used to filter extremely high connection + Rejected connections do not even become a session, which is why they are + accounted separately for in the stats, as "denied connections". They are not + considered for the session rate-limit and are not logged either. The reason + is that these rules should only be used to filter extremely high connection rates such as the ones encountered during a massive DDoS attack. Under these conditions, the simple action of logging each event would make the system collapse and would considerably lower the filtering capacity. If logging is diff --git a/include/types/counters.h b/include/types/counters.h index 7a0ff1d342..a333219cb5 100644 --- a/include/types/counters.h +++ b/include/types/counters.h @@ -40,6 +40,7 @@ struct pxcounters { long long denied_req, denied_resp; /* blocked requests/responses because of security concerns */ long long failed_req; /* failed requests (eg: invalid or timeout) */ + long long denied_conn; /* denied connection requests (tcp-req rules) */ union { struct { @@ -63,6 +64,7 @@ struct licounters { long long denied_req, denied_resp; /* blocked requests/responses because of security concerns */ long long failed_req; /* failed requests (eg: invalid or timeout) */ + long long denied_conn; /* denied connection requests (tcp-req rules) */ }; struct srvcounters { diff --git a/src/proto_tcp.c b/src/proto_tcp.c index 3a1abad9e6..1c93396089 100644 --- a/src/proto_tcp.c +++ b/src/proto_tcp.c @@ -731,9 +731,9 @@ int tcp_exec_req_rules(struct session *s) if (ret) { /* we have a matching rule. */ if (rule->action == TCP_ACT_REJECT) { - s->fe->counters.denied_req++; + s->fe->counters.denied_conn++; if (s->listener->counters) - s->listener->counters->denied_req++; + s->listener->counters->denied_conn++; if (!(s->flags & SN_ERR_MASK)) s->flags |= SN_ERR_PRXCOND;