From: Christopher Faulet Date: Thu, 6 Nov 2025 10:12:09 +0000 (+0100) Subject: MEDIUM: stktables: Limit the number of stick counters to 100 X-Git-Tag: v3.3-dev12~22 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=80edbad4f9fba55ac319c1451b9594774bdbf9d0;p=thirdparty%2Fhaproxy.git MEDIUM: stktables: Limit the number of stick counters to 100 "tune.stick-counters" global parameter was accepting any positive integer value. But the maximum value is incredibly high. Setting a huge value has signitifcant impact on memory and CPU usage. To avoid any issue, this value is now limited to 100. It should be greater enough to all usage. It can be seen as a breaking change. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index c47af4fbc..1f53e9bd6 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -5288,15 +5288,16 @@ tune.stick-counters connection or a request via "track-sc*" actions in "tcp-request" or "http-request" rules. The default value is set at build time by the macro MAX_SESS_STK_CTR, and defaults to 3. With this setting it is possible to - change the value and ignore the one passed at build time. Increasing this - value may be needed when porting complex configurations to haproxy, but users - are warned against the costs: each entry takes 16 bytes per connection and - 16 bytes per request, all of which need to be allocated and zeroed for all - requests even when not used. As such a value of 10 will inflate the memory - consumption per request by 320 bytes and will cause this memory to be erased - for each request, which does have measurable CPU impacts. Conversely, when - no "track-sc" rules are used, the value may be lowered (0 being valid to - entirely disable stick-counters). + change the value and ignore the one passed at build time, but it cannot be + set to a value greater than 100. Increasing this value may be needed when + porting complex configurations to haproxy, but users are warned against the + costs: each entry takes 16 bytes per connection and 16 bytes per request, all + of which need to be allocated and zeroed for all requests even when not + used. As such a value of 10 will inflate the memory consumption per request + by 320 bytes and will cause this memory to be erased for each request, which + does have measurable CPU impacts. Conversely, when no "track-sc" rules are + used, the value may be lowered (0 being valid to entirely disable + stick-counters). tune.takeover-other-tg-connections By default, we won't attempt to use idle connections from other thread groups. diff --git a/src/stick_table.c b/src/stick_table.c index d8c5b4a55..06a91ea49 100644 --- a/src/stick_table.c +++ b/src/stick_table.c @@ -5940,8 +5940,8 @@ static int stk_parse_stick_counters(char **args, int section_type, struct proxy return -1; } - if (counters < 0) { - memprintf(err, "%s: the number of stick-counters may not be negative (was %d)", args[0], counters); + if (counters < 0 || counters > 100) { + memprintf(err, "%s: the number of stick-counters must be between 1 and 100 (was %d)", args[0], counters); return -1; }